diff --git a/playbooks/roles/add-bastion-host/README.rst b/playbooks/roles/add-bastion-host/README.rst
new file mode 100644
index 0000000000..bab34c1120
--- /dev/null
+++ b/playbooks/roles/add-bastion-host/README.rst
@@ -0,0 +1,4 @@
+Add the bastion host to the inventory dynamically
+
+For roles that run on the bastion host, it should be added to the
+inventory dynamically by the production jobs.
diff --git a/playbooks/roles/add-bastion-host/tasks/main.yaml b/playbooks/roles/add-bastion-host/tasks/main.yaml
new file mode 100644
index 0000000000..932819f258
--- /dev/null
+++ b/playbooks/roles/add-bastion-host/tasks/main.yaml
@@ -0,0 +1,21 @@
+- name: Get the bastion hostname
+  set_fact:
+    _bastion_hostname: '{{ groups["bastion"][0] }}'
+
+- name: Show bastion details
+  debug:
+    msg: "Bastion host is {{ _bastion_hostname }}"
+
+- name: Add bastion host to inventory for playbook
+  add_host:
+    name: '{{ _bastion_hostname }}'
+    groups: 'bastion'
+    ansible_python_interpreter: python3
+    ansible_user: zuul
+    # Without setting ansible_host directly, mirror-workspace-git-repos
+    # gets sad because if delegate_to localhost and with add_host that
+    # ends up with ansible_host being localhost.
+    ansible_host: '{{ _bastion_hostname }}'
+    ansible_port: 22
+    # Port 19885 is firewalled
+    zuul_console_disabled: true
diff --git a/playbooks/zuul/run-production-playbook-post.yaml b/playbooks/zuul/run-production-playbook-post.yaml
index cdfa5540a7..30c67379c7 100644
--- a/playbooks/zuul/run-production-playbook-post.yaml
+++ b/playbooks/zuul/run-production-playbook-post.yaml
@@ -1,19 +1,8 @@
 - hosts: localhost
-  tasks:
-    - name: Add bridge.o.o to inventory for playbook
-      add_host:
-        name: bridge.openstack.org
-        ansible_python_interpreter: python3
-        ansible_user: zuul
-        # Without setting ansible_host directly, mirror-workspace-git-repos
-        # gets sad because if delegate_to localhost and with add_host that
-        # ends up with ansible_host being localhost.
-        ansible_host: bridge.openstack.org
-        ansible_port: 22
-        # Port 19885 is frewalled
-        zuul_console_disabled: true
+  roles:
+    - add-bastion-host
 
-- hosts: bridge.openstack.org
+- hosts: bastion[0]
   tasks:
     - name: Encrypt log
       when: infra_prod_playbook_encrypt_log|default(False)
@@ -62,7 +51,7 @@
             state: absent
           when: _encrypt_tempdir is defined
 
-    # Not using normal zuul job roles as bridge.openstack.org is not a
+    # Not using normal zuul job roles as the bastion host is not a
     # test node with all the normal bits in place.
     - name: Collect log output
       synchronize:
diff --git a/playbooks/zuul/run-production-playbook.yaml b/playbooks/zuul/run-production-playbook.yaml
index e1140dbdb3..51c3070e27 100644
--- a/playbooks/zuul/run-production-playbook.yaml
+++ b/playbooks/zuul/run-production-playbook.yaml
@@ -1,19 +1,8 @@
 - hosts: localhost
-  tasks:
-    - name: Add bridge.o.o to inventory for playbook
-      add_host:
-        name: bridge.openstack.org
-        ansible_python_interpreter: python3
-        ansible_user: zuul
-        # Without setting ansible_host directly, mirror-workspace-git-repos
-        # gets sad because if delegate_to localhost and with add_host that
-        # ends up with ansible_host being localhost.
-        ansible_host: bridge.openstack.org
-        ansible_port: 22
-        # Port 19885 is firewalled
-        zuul_console_disabled: true
+  roles:
+    - add-bastion-host
 
-- hosts: bridge.openstack.org
+- hosts: bastion[0]
   tasks:
     - name: Run the production playbook and capture logs
       block:
@@ -27,7 +16,7 @@
         become: yes
         shell: 'echo "Running {{ _log_timestamp }}: ansible-playbook -v -f {{ infra_prod_ansible_forks }} /home/zuul/src/opendev.org/opendev/system-config/playbooks/{{ playbook_name }}" > /var/log/ansible/{{ playbook_name }}.log'
 
-      - name: Run specified playbook on bridge.o.o and redirect output
+      - name: Run specified playbook on bastion host and redirect output
         become: yes
         shell: 'ansible-playbook -v -f {{ infra_prod_ansible_forks }} /home/zuul/src/opendev.org/opendev/system-config/playbooks/{{ playbook_name }} >> /var/log/ansible/{{ playbook_name }}.log'
         register: _run
diff --git a/zuul.d/infra-prod.yaml b/zuul.d/infra-prod.yaml
index 63e95dc77b..e0f496e6e2 100644
--- a/zuul.d/infra-prod.yaml
+++ b/zuul.d/infra-prod.yaml
@@ -17,7 +17,7 @@
       CD deployment of our infrastructure. Set playbook_name to
       specify the playbook relative to
       /home/zuul/src/opendev.org/opendev/system-config/playbooks
-      on bridge.openstack.org.
+      on the bastion host.
     abstract: true
     semaphores: infra-prod-playbook
     run: playbooks/zuul/run-production-playbook.yaml