diff --git a/releasenotes/notes/cleanup-keystone-role-ea04dd3c915f3bf7.yaml b/releasenotes/notes/cleanup-keystone-role-ea04dd3c915f3bf7.yaml
new file mode 100644
index 0000000..c2807df
--- /dev/null
+++ b/releasenotes/notes/cleanup-keystone-role-ea04dd3c915f3bf7.yaml
@@ -0,0 +1,3 @@
+---
+fixes:
+  - Remove stale old Terraform content from the Keystone side of things.
diff --git a/roles/openstack_helm_keystone/vars/main.yml b/roles/openstack_helm_keystone/vars/main.yml
index 0101d4a..501b95f 100644
--- a/roles/openstack_helm_keystone/vars/main.yml
+++ b/roles/openstack_helm_keystone/vars/main.yml
@@ -84,148 +84,3 @@
     job_credential_cleanup: false
     ingress_api: false
     service_ingress_api: false
-# # LDAP configuration
-# yamlencode({
-#   conf = {
-#     ks_domains = {
-#       for domain, details in var.keystone_ldap_domains : domain => {
-#         identity = {
-#           driver = "ldap"
-#         }
-#         ldap = merge({
-#           tls_cacertfile = "/etc/keystone/ldap/${domain}.crt"
-#         }, details.conf)
-#       }
-#     }
-#   }
-# }),
-
-# # OpenID Connect
-# yamlencode({
-#   bootstrap = {
-#     script = <<-EOT
-#     # Create role for publishing images
-#     openstack role create --or-show image-publisher
-
-#     # Add member role for admin user
-#     openstack role add \
-#           --user="$${OS_USERNAME}" \
-#           --user-domain="$${OS_USER_DOMAIN_NAME}" \
-#           --project-domain="$${OS_PROJECT_DOMAIN_NAME}" \
-#           --project="$${OS_PROJECT_NAME}" \
-#           "member"
-
-#     # Create project for tempest-pushgateway
-#     openstack project create --or-show \
-#       "${kubernetes_secret.tempest_pushgateway.data.OS_PROJECT_NAME}"
-#     openstack user create --or-show \
-#       "${kubernetes_secret.tempest_pushgateway.data.OS_USERNAME}"
-#     openstack user set \
-#       --password="${kubernetes_secret.tempest_pushgateway.data.OS_PASSWORD}" \
-#       "${kubernetes_secret.tempest_pushgateway.data.OS_USERNAME}"
-#     openstack role add \
-#       --user="${kubernetes_secret.tempest_pushgateway.data.OS_USERNAME}" \
-#       --project="${kubernetes_secret.tempest_pushgateway.data.OS_PROJECT_NAME}" \
-#       "member"
-
-#     # Add admin user to default domain
-#     openstack role add \
-#           --user="$${OS_USERNAME}" \
-#           --domain="$${OS_DEFAULT_DOMAIN}" \
-#           "admin"
-#     %{for name, config in var.keystone_openid_connect_idps}
-#     # OpenID connect (${name})
-
-#     # Create Identity provider if it doesn't exist
-#     IDP_ID=$(openstack identity provider show ${name} -c id -f value || :)
-#     if [ -z "$IDP_ID" ]; then
-#         openstack identity provider create --remote-id ${config.issuer} ${name}
-#     else
-#         openstack identity provider set --remote-id ${config.issuer} ${name}
-#     fi
-
-#     # Generate mapping
-#     cat <<EOF | tee /tmp/mapping.json
-#     ${jsonencode(local.keystone_mappings[name])}
-#     EOF
-
-#     # Upload mapping to Keystone
-#     MAPPING_ID=$(openstack mapping show ${name} -c id -f value || :)
-#     if [ -z "$MAPPING_ID" ]; then
-#         openstack mapping create --rules /tmp/mapping.json ${name}
-#     else
-#         openstack mapping set --rules /tmp/mapping.json ${name}
-#     fi
-
-#     # Create federation
-#     FEDERATION_ID=$(openstack federation protocol show --identity-provider ${name} openid -c id -f value || :)
-#     if [ -z "$FEDERATION_ID" ]; then
-#         openstack federation protocol create --identity-provider ${name} --mapping ${name} openid
-#     fi
-#     %{endfor~}
-#     EOT
-#   }
-#   conf = {
-#     wsgi_keystone = <<-EOT
-#     {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-
-#     Listen 0.0.0.0:{{ $portInt }}
-
-#     LogFormat "%h %l %u %t \"%r\" %>s %b \"%%{Referer}i\" \"%%{User-Agent}i\"" combined
-#     LogFormat "%%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%%{Referer}i\" \"%%{User-Agent}i\"" proxy
-
-#     SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
-#     CustomLog /dev/stdout combined env=!forwarded
-#     CustomLog /dev/stdout proxy env=forwarded
-
-#     <VirtualHost *:{{ $portInt }}>
-#         WSGIDaemonProcess keystone-public processes=4 threads=1 user=keystone group=keystone display-name=%%{GROUP}
-#         WSGIProcessGroup keystone-public
-#         WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
-#         WSGIApplicationGroup %%{GLOBAL}
-#         WSGIPassAuthorization On
-#         <IfVersion >= 2.4>
-#           ErrorLogFormat "%%{cu}t %M"
-#         </IfVersion>
-#         ErrorLog /dev/stdout
-
-#         SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
-#         CustomLog /dev/stdout combined env=!forwarded
-#         CustomLog /dev/stdout proxy env=forwarded
-
-#         # OpenID connect
-#         OIDCMetadataDir /var/lib/apache2/oidc
-#         OIDCClaimPrefix "OIDC-"
-#         OIDCSessionType client-cookie
-#         OIDCCryptoPassphrase ${random_password.keystone_openid_connect_crypto_passphrase.result}
-#         OIDCRedirectURLsAllowed ^https://${var.horizon_api_host}/auth/logout/$ ^https://${var.keystone_api_host}
-#         OIDCOAuthVerifyJwksUri https://vexxhost.us.auth0.com/.well-known/jwks.json
-
-#         OIDCRedirectURI https://${var.keystone_api_host}/v3/auth/OS-FEDERATION/identity_providers/redirect
-#         <Location /v3/auth/OS-FEDERATION/identity_providers/redirect>
-#             AuthType openid-connect
-#             Require valid-user
-#         </Location>
-#         <Location /v3/auth/OS-FEDERATION/websso/openid>
-#             AuthType openid-connect
-#             Require valid-user
-#         </Location>
-
-#     %{for name, config in var.keystone_openid_connect_idps}
-#         <Location /v3/auth/OS-FEDERATION/identity_providers/${name}/protocols/openid/websso>
-#             OIDCDiscoverURL https://${var.keystone_api_host}/v3/auth/OS-FEDERATION/identity_providers/redirect?iss=${urlencode(config.issuer)}
-#             AuthType openid-connect
-#             Require valid-user
-#         </Location>
-#         <Location /v3/OS-FEDERATION/identity_providers/${name}/protocols/openid/auth>
-#             LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
-#             Header set Access-Control-Allow-Headers "Authorization,Content-Type"
-#             Header set Access-Control-Allow-Origin "*"
-#             AuthType oauth20
-#             Require valid-user
-#         </Location>
-#     %{endfor}
-#     </VirtualHost>
-#     EOT
-#   }
-# }),