diff --git a/src/playbooks/site.yml b/src/playbooks/site.yml
index 038dce9cd..c14de06a3 100644
--- a/src/playbooks/site.yml
+++ b/src/playbooks/site.yml
@@ -11,7 +11,7 @@
   tasks:
   - name: Ensure no password on meza-ansible user on controller
     shell: passwd --delete meza-ansible
-    ignore_errors: yes
+    failed_when: False
 
   - name: Ensure controller has user alt-meza-ansible
     user:
@@ -49,7 +49,7 @@
       owner: alt-meza-ansible
       group: wheel
       mode: "{{ item.mode }}"
-    ignore_errors: True
+    failed_when: False
     with_items:
     - name: known_hosts
       mode: "0600"
@@ -59,7 +59,7 @@
       ansible-vault encrypt
       /opt/conf-meza/secret/{{ env }}/secret.yml
       --vault-password-file {{ m_home }}/meza-ansible/.vault-pass-{{ env }}.txt
-    ignore_errors: True
+    failed_when: False
 
   # Note: without this, the encryption above changes mode to 0600 and ownership
   # to root:root. This makes it impossible to include_vars later.
diff --git a/src/roles/base/tasks/main.yml b/src/roles/base/tasks/main.yml
index 27a2443c6..cdc0ea9db 100644
--- a/src/roles/base/tasks/main.yml
+++ b/src/roles/base/tasks/main.yml
@@ -39,7 +39,7 @@
 
 - name: Ensure no password on alt-meza-ansible user
   shell: passwd --delete alt-meza-ansible
-  ignore_errors: yes
+  failed_when: False
 
 # Add line to visudo file if it does not exist
 - name: Ensure alt-meza-ansible is passwordless sudoer
@@ -234,7 +234,7 @@
 
   # Ignore errors due issue #699: If a crontab doesn't exist yet this command
   # will fail
-  ignore_errors: yes
+  failed_when: False
 
 # Ref: http://docs.ansible.com/ansible/playbooks_loops.html#id4
 - name: Copy any custom PEM-format CA certs into place
diff --git a/src/roles/database/tasks/replication.yml b/src/roles/database/tasks/replication.yml
index cfaa3222f..673cb3b6d 100644
--- a/src/roles/database/tasks/replication.yml
+++ b/src/roles/database/tasks/replication.yml
@@ -37,7 +37,7 @@
 #
 - name: Check slave replication status.
   mysql_replication: mode=getslave
-  ignore_errors: true
+  failed_when: False
   register: slave
   when: >
     not role_is_valid_slave|skipped
@@ -147,7 +147,7 @@
     master_password: "{{ mysql_replication_user.password }}"
     master_log_file: "{{ master.File }}"
     master_log_pos: "{{ master.Position }}"
-  ignore_errors: True
+  failed_when: False
   when: >
     not slave_needs_configuration|skipped
     and not role_is_valid_slave|skipped
diff --git a/src/roles/elasticsearch/tasks/es_upgrade.yml b/src/roles/elasticsearch/tasks/es_upgrade.yml
index 2e4550767..890de15c5 100644
--- a/src/roles/elasticsearch/tasks/es_upgrade.yml
+++ b/src/roles/elasticsearch/tasks/es_upgrade.yml
@@ -20,7 +20,7 @@
 # them manually.
 - name: Ensure elasticsearch plugins removed
   shell: "/usr/share/elasticsearch/bin/plugin remove {{ item }}"
-  ignore_errors: True
+  failed_when: False
   with_items:
     - bigdesk
     - head
diff --git a/src/roles/haproxy/tasks/main.yml b/src/roles/haproxy/tasks/main.yml
index 1117c3176..541e5d3a5 100644
--- a/src/roles/haproxy/tasks/main.yml
+++ b/src/roles/haproxy/tasks/main.yml
@@ -56,7 +56,7 @@
     ansible-vault encrypt
     {{ item }}
     --vault-password-file {{ m_home }}/meza-ansible/.vault-pass-{{ env }}.txt
-  ignore_errors: True
+  failed_when: False
   delegate_to: localhost
   run_once: True
   with_items:
diff --git a/src/roles/key-transfer/tasks/grant-keys.yml b/src/roles/key-transfer/tasks/grant-keys.yml
index e8dea6195..e97a9be4d 100644
--- a/src/roles/key-transfer/tasks/grant-keys.yml
+++ b/src/roles/key-transfer/tasks/grant-keys.yml
@@ -25,4 +25,4 @@
     group: root
     mode: "0644"
   delegate_to: "{{ granted_server }}"
-  ignore_errors: True
+  failed_when: False
diff --git a/src/roles/mediawiki/tasks/main.yml b/src/roles/mediawiki/tasks/main.yml
index 91cbdee2c..5e9dad419 100644
--- a/src/roles/mediawiki/tasks/main.yml
+++ b/src/roles/mediawiki/tasks/main.yml
@@ -39,7 +39,7 @@
     owner: meza-ansible
     group: wheel
     mode: "{{ item.mode }}"
-  ignore_errors: True
+  failed_when: False
   with_items:
   - name: known_hosts
     mode: "0600"
@@ -57,7 +57,7 @@
     block: |
       [diff]
           ignoreSubmodules = all
-  ignore_errors: True
+  failed_when: False
   tags:
     - mediawiki-core
 - name: Ensure MediaWiki core owned by meza-ansible
@@ -201,7 +201,7 @@
     working_dir: "{{ m_mediawiki }}"
     no_dev: no
   # FIXME #317: need ignore_errors because composer throws an error when running as root.
-  # ignore_errors: yes
+  # failed_when: False
   tags:
     - composer-extensions
     - latest
@@ -216,7 +216,7 @@
     working_dir: "{{ m_mediawiki }}"
     no_dev: no
   # FIXME #317: need ignore_errors because composer throws an error when running as root.
-  # ignore_errors: yes
+  # failed_when: False
   tags:
     - composer-extensions
     - latest
diff --git a/src/roles/meza-log/tasks/main.yml b/src/roles/meza-log/tasks/main.yml
index 9be6f983d..c69284aa4 100644
--- a/src/roles/meza-log/tasks/main.yml
+++ b/src/roles/meza-log/tasks/main.yml
@@ -3,7 +3,7 @@
 - name: "Check if server log database exists"
   shell: 'mysqlshow "{{ meza_server_log_db }}" | grep -v Wildcard | grep -o {{ meza_server_log_db }}'
   register: register_server_log
-  ignore_errors: yes
+  failed_when: False
   run_once: true
 
 - name: "Set fact if server log database DOES exist"
@@ -31,7 +31,7 @@
 - name: "Check if disk_space table exists"
   shell: "sudo mysql -e\"USE {{ meza_server_log_db }}; SHOW TABLES LIKE 'disk_space'\" | grep disk_space"
   register: register_disk_space
-  ignore_errors: yes
+  failed_when: False
   run_once: true
 
 - name: "Set fact if disk_space table DOES exist"
diff --git a/src/roles/nodejs/tasks/main.yml b/src/roles/nodejs/tasks/main.yml
index cc7e1ca1b..60371eb5e 100644
--- a/src/roles/nodejs/tasks/main.yml
+++ b/src/roles/nodejs/tasks/main.yml
@@ -45,7 +45,7 @@
 - name: What version of node, if any, is installed
   shell: node --version
   register: node_version
-  ignore_errors: yes
+  failed_when: False
 
 - debug: { var: node_version }
 
diff --git a/src/roles/remote-mysqldump/tasks/main.yml b/src/roles/remote-mysqldump/tasks/main.yml
index dbc666cee..041b47e55 100644
--- a/src/roles/remote-mysqldump/tasks/main.yml
+++ b/src/roles/remote-mysqldump/tasks/main.yml
@@ -66,7 +66,7 @@
   shell: 'mysqlshow "wiki_{{ wiki_id }}" | grep -v Wildcard | grep -o wiki_{{ wiki_id }}'
   register: source_wiki_exists_check
   delegate_to: "{{ target_server }}"
-  ignore_errors: yes
+  failed_when: False
   run_once: true
 
 - name: "{{ wiki_id }} - Set fact if database wiki_{{ wiki_id }} DOES exist ON SOURCE SERVER"
diff --git a/src/roles/set-vars/tasks/main.yml b/src/roles/set-vars/tasks/main.yml
index 31ce0d6b0..b6663588a 100644
--- a/src/roles/set-vars/tasks/main.yml
+++ b/src/roles/set-vars/tasks/main.yml
@@ -13,7 +13,7 @@
   include_vars:
     file: "{{ m_local_public }}/public.yml"
   # Ingore errors so this file is not required to be included
-  ignore_errors: yes
+  failed_when: False
 
 - name: Get individual wikis dirs from localhost
   find:
@@ -30,10 +30,11 @@
   include_vars:
     file: "{{ m_local_public }}/env/{{ env }}.yml"
   # Ingore errors so this file is not required to be included
-  ignore_errors: yes
+  failed_when: False
 
 - name: Set meza local secret variables
   include_vars:
     file: "{{ m_local_secret }}/{{ env }}/secret.yml"
-  # DO NOT ingore errors generally, except when setting up an env
-  ignore_errors: "{{ allow_missing_secret_config | default(false) }}"
+  # Can't load secret.yml when it doesn't exist yet, so skip this while setting
+  # up an environment
+  when: not allow_missing_secret_config|default(false)
diff --git a/src/roles/verify-wiki/tasks/main.yml b/src/roles/verify-wiki/tasks/main.yml
index fb85bb034..4a6155618 100644
--- a/src/roles/verify-wiki/tasks/main.yml
+++ b/src/roles/verify-wiki/tasks/main.yml
@@ -93,7 +93,7 @@
   shell: 'mysqlshow "wiki_{{ wiki_id }}" | grep -v Wildcard | grep -o wiki_{{ wiki_id }}'
   register: wiki_exists_check
   delegate_to: "{{ groups['db-master'][0] }}"
-  ignore_errors: yes
+  failed_when: False
   run_once: true
 
 - name: "{{ wiki_id }} - Set fact if database wiki_{{ wiki_id }} DOES exist"
diff --git a/src/roles/verify-wiki/tasks/transfer-backup-to-db-master.yml b/src/roles/verify-wiki/tasks/transfer-backup-to-db-master.yml
index e8432e334..235af22b5 100644
--- a/src/roles/verify-wiki/tasks/transfer-backup-to-db-master.yml
+++ b/src/roles/verify-wiki/tasks/transfer-backup-to-db-master.yml
@@ -33,7 +33,7 @@
   delegate_to: "{{ sql_backup_server }}"
   run_once: true
   remote_user: "{{ db_backup_server_remote_user }}"
-  ignore_errors: yes
+  failed_when: False
   when: backup_dir_exists and (not wiki_exists or intend_overwrite_from_backup)
 
 - name: "{{ wiki_id }} - Set fact if SQL file DOES exist"
diff --git a/tests/deploys/setup-alt-source-backup.yml b/tests/deploys/setup-alt-source-backup.yml
index fb3ed2b22..08bd19716 100644
--- a/tests/deploys/setup-alt-source-backup.yml
+++ b/tests/deploys/setup-alt-source-backup.yml
@@ -93,5 +93,5 @@
 
     - name: Ensure no password on test-user
       shell: passwd --delete test-user
-      ignore_errors: yes
+      failed_when: False