diff --git a/ansible/roles/haproxy/tasks/precheck.yml b/ansible/roles/haproxy/tasks/precheck.yml
index 3e5973205a..e2bfda4a1e 100644
--- a/ansible/roles/haproxy/tasks/precheck.yml
+++ b/ansible/roles/haproxy/tasks/precheck.yml
@@ -79,7 +79,8 @@
   changed_when: false
   failed_when: >-
     '169.254.' not in kolla_internal_vip_address and
-    kolla_internal_vip_address | ipaddr(ip_addr_output.stdout.split()[3]) is none
+    (ip_addr_output | failed or
+     kolla_internal_vip_address | ipaddr(ip_addr_output.stdout.split()[3]) is none)
   when:
     - enable_haproxy | bool
     - container_facts['keepalived'] is not defined
diff --git a/ansible/roles/prechecks/tasks/service_checks.yml b/ansible/roles/prechecks/tasks/service_checks.yml
index 22a52f18c8..3a739c595e 100644
--- a/ansible/roles/prechecks/tasks/service_checks.yml
+++ b/ansible/roles/prechecks/tasks/service_checks.yml
@@ -7,6 +7,9 @@
   failed_when: result | failed
                or (result.stdout | from_yaml).Server.Version | regex_replace('(\\d+\\.\\d+\\.\\d+).*', '\\1') | version_compare(docker_version_min, '<')
 
+# NOTE(mgoddard): If passwords.yml is encrypted using ansible-vault, this check
+# will pass, but only because nothing in the vault file has the format of a
+# YAML dict item.
 - name: Checking empty passwords in passwords.yml. Run kolla-genpwd if this task fails
   local_action: command grep '^[^#].*:\s*$' "{{ CONFIG_DIR | default('/etc/kolla') }}/passwords.yml"
   run_once: True