diff --git a/playbooks/bootstrap-bridge.yaml b/playbooks/bootstrap-bridge.yaml
index 648d660327..794656350c 100644
--- a/playbooks/bootstrap-bridge.yaml
+++ b/playbooks/bootstrap-bridge.yaml
@@ -1,4 +1,18 @@
-- hosts: bridge.openstack.org:!disabled
+# NOTE: This is included from two paths to setup the bridge/bastion
+# host in different circumstances:
+#
+# 1) Gate tests -- here Zuul is running this on the executor against
+#    ephemeral nodes.  It uses the "bastion" group as defined in the
+#    system-config-run jobs.
+#
+# 2) Production -- here we actually run against the real bastion host.
+#    The host is dynamically added in opendev/base-jobs before this
+#    runs, and put into a group called "bastion".
+#
+# In both cases, the "bastion" group has one entry, which is the
+# bastion host to run against.
+
+- hosts: bastion[0]:!disabled
   name: "Bridge: bootstrap the bastion host"
   become: true
   tasks:
@@ -53,6 +67,14 @@
             content: '{{ _root_rsa_key_dict | to_nice_json }}'
             dest: '/home/zuul/root-rsa-key.json'
 
+        - name: Save abstracted inventory file
+          copy:
+            content: |
+                {{ inventory_hostname }}
+                [bastion]
+                {{ inventory_hostname }}
+            dest: '/home/zuul/bastion-inventory.ini'
+
     - name: Make ansible log directory
       file:
         path: '/var/log/ansible'
@@ -68,11 +90,10 @@
       environment:
         ROOT_RSA_KEY: '{{ "-e @/home/zuul/root-rsa-key.json" if root_rsa_key is defined else "" }}'
         # In production "install-ansible" has setup ansible to point
-        # to the system-config inventory which has bridge in it.  In
-        # the gate, bridge is ephemeral and we haven't yet built the
-        # inventory to use for testing (that is done in
-        # zuul/run-base.yaml).  Pass the hostname -- the playbook uses
-        # the local connection.
-        BRIDGE_INVENTORY: '{{ "-ibridge.openstack.org," if root_rsa_key is defined else "" }}'
+        # to the system-config inventory which has the bastion group
+        # in it.  In the gate, bridge is ephemeral and we haven't yet
+        # built the inventory to use for testing (that is done in
+        # zuul/run-base.yaml).  Use this constructed inventory.
+        BRIDGE_INVENTORY: '{{ "-i/home/zuul/bastion-inventory.ini" if root_rsa_key is defined else "" }}'
         ANSIBLE_ROLES_PATH: '/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles'
       no_log: true
diff --git a/playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml b/playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml
index f41c4f9315..ab44d63ab9 100644
--- a/playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml
+++ b/playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml
@@ -1,4 +1,4 @@
-- hosts: bridge.openstack.org
+- hosts: bastion[0]
   connection: local
   tasks:
     - name: Install root keys
diff --git a/playbooks/zuul/run-production-bootstrap-bridge.yaml b/playbooks/zuul/run-production-bootstrap-bridge.yaml
index 9c20e4af57..73ddd84bd5 100644
--- a/playbooks/zuul/run-production-bootstrap-bridge.yaml
+++ b/playbooks/zuul/run-production-bootstrap-bridge.yaml
@@ -3,6 +3,7 @@
     - name: Add bridge.o.o to inventory for playbook
       add_host:
         name: bridge.openstack.org
+        groups: 'bastion'
         ansible_python_interpreter: python3
         ansible_user: zuul
         # Without setting ansible_host directly, mirror-workspace-git-repos