It looks this delegation was added here:

https://github.com/wazuh/wazuh-ansible/commit/6cb6d3bda84c65508881e293e3403dae94ff24cc#diff-f382f2db5d2e651b16fc4b92ec32e988R90

The Linux | Create the agent key via rest-API task was previously doing the same. That has since been changed as well. I think this was just missed.

Hi @singuliere and @paulcalabro I'm the one to blame for that code. :)
If you go ahead and remove that line, you're assuming that the client you're trying to register is able to reach the wazuh-api.
IMHO from a security point of view, it's better to allow the ansible controller to reach the wazuh-api than let every single client connect to the api. The API should be protected and isolated from managed hosts because it can be used for malicious operations.
For example. in my company, our wazuh clients cannot reach the api because the manager is running on procteded network behind a firewall; in this case, your registration logic won't work for our scenario.

What we can do is let the user choose what kind of registration logic wants (ansible-manager -> wazuh-API or wazuh-client -> wazuh-API) .
Let me think about a proper solution... :thinking:

That's a fair argument for keeping it. I think I expected the registration to occur from the agent b/c of how the authd registration functions. But, your approach is more secure. If this could be made configurable to address networking constraints, it would be ideal.

@angystardust thanks for the explanation, it makes perfect sense. It currently is inconsistent (because 689bb8ff35b38fa8258f82db219a4d2565dc5239 removed one delegate_to and not the other) and I wrongly assumed the right solution was the one matching my own use case.

Since @paulcalabro seems to agree with the idea of making it configurable, I'll amend the pull request accordingly.