diff --git a/.kitchen.yml b/.kitchen.yml
index 9d9c3c5..006bc48 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -20,7 +20,8 @@ provisioner:
   ansible_verbose: true
   ansible_version: latest
   require_chef_for_busser: false
-
+  idempotency_test: true
+#  ansible_check: true
 
 verifier:
   name: inspec
diff --git a/build/Dockerfile.ubuntu18 b/build/Dockerfile.ubuntu18
index d8a6ee5..5901eae 100644
--- a/build/Dockerfile.ubuntu18
+++ b/build/Dockerfile.ubuntu18
@@ -14,3 +14,6 @@ RUN touch /home/<%= @username %>/.ssh/authorized_keys
 RUN chown <%= @username %> /home/<%= @username %>/.ssh/authorized_keys
 RUN chmod 0600 /home/<%= @username %>/.ssh/authorized_keys
 RUN echo '<%= IO.read(@public_key).strip %>' >> /home/<%= @username %>/.ssh/authorized_keys
+
+# ansible setup (dry-run mode)
+RUN apt-get install -y python-apt
diff --git a/tasks/debian.yml b/tasks/debian.yml
new file mode 100644
index 0000000..ebb2157
--- /dev/null
+++ b/tasks/debian.yml
@@ -0,0 +1,80 @@
+---
+- name: Setting facts
+  set_fact:
+    url_tmp_file_path: /tmp/packagecloud_{{repository |replace("/", "_")}}_url
+    tmp_file_path: /tmp/packagecloud_{{repository |replace("/", "_")}}_key
+
+- name: Update APT package cache
+  apt:
+    update_cache: true
+  changed_when: false
+
+- name: Install debian-archive-keyring and apt-transport-https
+  apt:
+    pkg:
+      - debian-archive-keyring
+      - apt-transport-https
+    state: present
+
+  # {{ repository }}/gpgkey URL works for both legacy and modern public repositories.
+- name: Add {{repository}} GPG key to apt-key
+  apt_key:
+    url: https://packagecloud.io/{{ repository }}/gpgkey
+    state: present
+  when: master_token is undefined
+
+  # If master_token AND legacy_gpg = true given, then use the legacy GPG key located at /gpg.key
+- name: Add packagecloud.io GPG key to apt-key
+  apt_key:
+    url: https://packagecloud.io/gpg.key
+    state: present
+  when: master_token is defined and legacy_gpg is defined
+
+- name: Get GPG key URL for {{ repository }}
+  uri:
+    url: "{{ debian_gpg_key_url }}"
+    user: "{{ master_token }}"
+    force_basic_auth: true
+    return_content: true
+  register: gpg_url
+  check_mode: false
+  when: master_token is defined and legacy_gpg is undefined
+
+- name: Get GPG key for {{ repository }}
+  uri:
+    url: "https://{{ gpg_url.content.split('@')[1] | trim }}" 
+    user: "{{ gpg_url.content.split('@')[0] | replace ('https://', '') }}"
+    force_basic_auth: true
+    return_content: true
+  register: gpg_key
+  check_mode: false
+  when: master_token is defined and legacy_gpg is undefined
+
+- name: Add {{repository}} GPG key to apt-key
+  apt_key:
+    data: "{{ gpg_key.content | trim }}"
+    state: present
+  when: master_token is defined and legacy_gpg is undefined
+
+- name: "Adding packagecloud.io repository: {{ repository }}"
+  get_url:
+    url: "{{ debian_config_file_url }}"
+    dest: "{{ debian_config_file_location }}"
+    force: false
+  register: added_deb_repository
+  when: master_token is undefined
+
+- name: "Adding packagecloud.io repository: {{ repository }} with generated read token"
+  get_url:
+    url: "{{ debian_config_file_url }}"
+    dest: "{{ debian_config_file_location }}"
+    url_username: "{{ master_token }}"
+    force_basic_auth: true
+    force: false
+  register: added_deb_repository_with_token
+  when: master_token is defined
+
+- name: Update APT package cache
+  apt:
+    update_cache: true
+  when: added_deb_repository.changed or added_deb_repository_with_token.changed
diff --git a/tasks/main.yml b/tasks/main.yml
index 427aee2..78e6532 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,113 +1,8 @@
-- name: Setting facts
-  set_fact:
-    url_tmp_file_path: /tmp/packagecloud_{{repository |replace("/", "_")}}_url
-    tmp_file_path: /tmp/packagecloud_{{repository |replace("/", "_")}}_key
+---
+- name: Debian tasks
+  import_tasks: debian.yml
   when: ansible_os_family == "Debian"
 
-- name: Install debian-archive-keyring and apt-transport-https
-  apt: pkg={{ packages }} state=present update_cache=true
-  vars:
-    packages:
-    - debian-archive-keyring
-    - apt-transport-https
-  when: ansible_os_family == "Debian"
-
-- name: Install pygpgme and yum-utils
-  yum: name={{ packages }} state=present update_cache=true
-  vars:
-    packages:
-    - pygpgme
-    - yum-utils
+- name: RedHat tasks
+  import_tasks: redhat.yml
   when: ansible_os_family == "RedHat"
-
-  # {{ repository }}/gpgkey URL works for both legacy and modern public repositories.
-- name: Add {{repository}} GPG key to apt-key
-  apt_key: url=https://packagecloud.io/{{ repository }}/gpgkey state=present
-  when: ansible_os_family == "Debian" and master_token is undefined
-
-  # If master_token AND legacy_gpg = true given, then use the legacy GPG key located at /gpg.key
-- name: Add packagecloud.io GPG key to apt-key
-  apt_key: url=https://packagecloud.io/gpg.key state=present
-  when: ansible_os_family == "Debian" and master_token is defined and legacy_gpg is defined
-
-  # The following three plays are needed as a workaround since the GPG key URL uses basic auth, and that isn't
-  # supported by lookup('url', url_with_basic_auth) yet: https://github.com/ansible/ansible/pull/43467/files
-  # Instead, we download the generated GPG key URLfrom the GPG key URL config endpoint and save that URL to a file
-  # which is slurp()'ed and curl()'ed by the two plays below.
-- name: Get GPG key URL for {{ repository }}
-  get_url:
-      url: "{{ debian_gpg_key_url }}"
-      dest: "{{ url_tmp_file_path }}"
-      url_username: "{{ master_token }}"
-      force_basic_auth: yes
-  when: ansible_os_family == "Debian" and master_token is defined and legacy_gpg is undefined
-
-  # See above play.
-- name: Register GPG key URL for {{ repository }}
-  slurp:
-    src: "{{ url_tmp_file_path }}"
-  register: url_tmp_file_url
-  when: ansible_os_family == "Debian" and master_token is defined and legacy_gpg is undefined
-
-  # See above play.
-- name: Download key located at GPG key URL for {{ repository }}
-  get_url:
-      url: "{{ url_tmp_file_url['content'] | b64decode | trim }}"
-      dest: "{{ tmp_file_path }}"
-      force_basic_auth: yes
-  when: ansible_os_family == "Debian" and master_token is defined and legacy_gpg is undefined
-
-- name: Add {{repository}} GPG key to apt-key
-  apt_key: file={{ tmp_file_path }} state=present
-  when: ansible_os_family == "Debian" and master_token is defined and legacy_gpg is undefined
-
-- name: Clean up temporary GPG files
-  file: path={{ url_tmp_file_path }} state=absent
-  when: ansible_os_family == "Debian" and master_token is defined and legacy_gpg is undefined
-
-- name: Clean up temporary GPG files
-  file: path={{ tmp_file_path }} state=absent
-  when: ansible_os_family == "Debian" and master_token is defined and legacy_gpg is undefined
-
-- name: "Adding packagecloud.io repository: {{ repository }}"
-  get_url:
-      url: "{{ debian_config_file_url }}"
-      dest: "{{ debian_config_file_location }}"
-  register: added_deb_repository
-  when: ansible_os_family == "Debian" and master_token is undefined
-
-- name: "Adding packagecloud.io repository: {{ repository }} with generated read token"
-  get_url:
-      url: "{{ debian_config_file_url }}"
-      dest: "{{ debian_config_file_location }}"
-      url_username: "{{ master_token }}"
-      force_basic_auth: yes
-  register: added_deb_repository_with_token
-  when: ansible_os_family == "Debian" and master_token is defined
-
-- name: "Adding packagecloud.io repository: {{ repository }}"
-  get_url:
-      url: "{{ redhat_config_file_url }}"
-      dest: "{{ redhat_config_file_location }}"
-  register: added_rpm_repository
-  when: ansible_os_family == "RedHat" and master_token is undefined
-
-- name: "Adding packagecloud.io repository: {{ repository }} with generated read token"
-  get_url:
-      url: "{{ redhat_config_file_url }}"
-      dest: "{{ redhat_config_file_location }}"
-      url_username: "{{ master_token }}"
-      force_basic_auth: yes
-  register: added_rpm_repository_with_token
-  when: ansible_os_family == "RedHat" and master_token is defined
-
-- name: Update APT package cache
-  apt: update_cache=true
-  when: ansible_os_family == "Debian" and (added_deb_repository.changed or added_deb_repository_with_token.changed)
-
-- name: Update yum package cache
-  yum:
-      name: '*'
-      update_cache: yes
-      enablerepo: '{{ repository|replace("/", "_")}}'
-  when: ansible_os_family == "RedHat" and (added_rpm_repository.changed or added_rpm_repository_with_token.changed)
diff --git a/tasks/redhat.yml b/tasks/redhat.yml
new file mode 100644
index 0000000..ee37423
--- /dev/null
+++ b/tasks/redhat.yml
@@ -0,0 +1,32 @@
+---
+- name: Install pygpgme and yum-utils
+  yum: name={{ packages }} state=present update_cache=true
+  vars:
+    packages:
+    - pygpgme
+    - yum-utils
+
+- name: "Adding packagecloud.io repository: {{ repository }}"
+  get_url:
+    url: "{{ redhat_config_file_url }}"
+    dest: "{{ redhat_config_file_location }}"
+    force: false
+  register: added_rpm_repository
+  when: master_token is undefined
+
+- name: "Adding packagecloud.io repository: {{ repository }} with generated read token"
+  get_url:
+    url: "{{ redhat_config_file_url }}"
+    dest: "{{ redhat_config_file_location }}"
+    url_username: "{{ master_token }}"
+    force_basic_auth: yes
+    force: false
+  register: added_rpm_repository_with_token
+  when: master_token is defined
+
+- name: Update yum package cache
+  yum:
+    name: '*'
+    update_cache: yes
+    enablerepo: '{{ repository|replace("/", "_")}}'
+  when: added_rpm_repository.changed or added_rpm_repository_with_token.changed