diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml
index 6fd58a8..781ea74 100644
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@@ -14,6 +14,9 @@
     group=apache
   with_fileglob:
   - '{{ inventory_hostname }}.keytab'
+  tags:
+  - apache-config
+  - keytab
 
 - name: ensure tls private key exists
   copy:
@@ -24,6 +27,8 @@
   with_fileglob:
   - '{{ inventory_hostname }}.key'
   notify: reload httpd
+  tags:
+  - cert
 - name: ensure tls certificate exists
   copy:
    src={{ item }}
@@ -32,6 +37,8 @@
    setype=cert_t
   with_fileglob:
   - '{{ inventory_hostname }}.cer'
+  tags:
+  - cert
   notify: reload httpd
 - name: ensure tls ca certificate exists
   copy:
@@ -43,12 +50,16 @@
   with_fileglob:
   - '{{ inventory_hostname }}-ca.crt'
   notify: reload httpd
+  tags:
+  - cert
 - name: ensure ssl.include is populated
   template:
     src=ssl.include.j2
     dest=/etc/httpd/conf.d/ssl.include
     mode=0644
   notify: reload httpd
+  tags:
+  - apache-config
 - name: ensure mod_ssl is configured
   template:
     src=ssl.conf.j2
@@ -56,6 +67,8 @@
     mode=0644
     setype=httpd_config_t
   notify: reload httpd
+  tags:
+  - apache-config
 
 - name: ensure apache userdir module is configured
   template:
@@ -63,11 +76,15 @@
     dest=/etc/httpd/conf.d/userdir.conf
     mode=0644
   notify: reload httpd
+  tags:
+  - apache-config
 - name: ensure selinux is configured for apache user directories
   seboolean:
     name=httpd_enable_homedirs
     persistent=yes
     state={{ 'yes' if apache_userdir is defined else 'no' }}
+  tags:
+  - selinux
 
 - name: ensure apache mpm module is configured
   template:
@@ -75,6 +92,8 @@
     dest=/etc/httpd/conf.modules.d/00-mpm.conf
     mode=0644
     setype=httpd_config_t
+  tags:
+  - apache-config
   notify: reload httpd
 - name: ensure apache server name is set
   template:
@@ -83,11 +102,15 @@
     mode=0644
     setype=httpd_config_t
   notify: reload httpd
+  tags:
+  - apache-config
 
 - name: ensure httpd service starts at boot
   service:
     name=httpd
     enabled=yes
+  tags:
+  - service
 
 - name: ensure web ports are open in firewall
   firewalld: >-
@@ -98,9 +121,13 @@
     state=enabled
   with_items: '{{ web_ports }}'
   notify: save firewalld configuration
+  tags:
+  - firewall
 
 - name: ensure old apache logs are rotated
   template:
     src=httpd.logrotate.j2
     dest=/etc/logrotate.d/httpd
     mode=0644
+  tags:
+  - logrotate