From cf69e9778beb533d7403af1055026985635e7412 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 31 Jan 2024 17:09:26 +0300 Subject: [PATCH 01/17] feat: add vault-token module --- vault-token/README.md | 54 +++++++++++++++++++++++++ vault-token/main.tf | 57 +++++++++++++++++++++++++++ vault-token/run.sh | 92 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 203 insertions(+) create mode 100644 vault-token/README.md create mode 100644 vault-token/main.tf create mode 100644 vault-token/run.sh diff --git a/vault-token/README.md b/vault-token/README.md new file mode 100644 index 00000000..6d91d75b --- /dev/null +++ b/vault-token/README.md @@ -0,0 +1,54 @@ +--- +display_name: Hashicorp Vault Integration (Token) +description: Authenticates with Vault using Token +icon: ../.icons/vault.svg +maintainer_github: coder +verified: true +tags: [helper, integration, vault, token] +--- + +# Hashicorp Vault Integration (Token) + +This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces using a [Vault token](https://developer.hashicorp.com/vault/docs/auth/token). + +```tf +module "vault" { + source = "registry.coder.com/modules/vault-token/coder" + version = "1.0.2" + agent_id = coder_agent.example.id + vault_token = "s.1234567890" + vault_addr = "https://vault.example.com" +} +``` + +Then you can use the Vault CLI in your workspaces to fetch secrets from Vault: + +```shell +vault kv get -mount=secret my-secret +``` + +or using the Vault API: + +```shell +curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/secret/data/my-secret" +``` + +![Vault login](../.images/vault-login.png) + +## Configuration + +To configure the Vault module, you must create a Vault token with the the required permissions and configure the module with the token and Vault address. + +## Examples + +### Configure Vault integration and install a specific version of the Vault CLI + +```tf +module "vault" { + source = "registry.coder.com/modules/vault-token/coder" + version = "1.0.2" + agent_id = coder_agent.example.id + vault_addr = "https://vault.example.com" + vault_cli_version = "1.15.0" +} +``` diff --git a/vault-token/main.tf b/vault-token/main.tf new file mode 100644 index 00000000..8105054b --- /dev/null +++ b/vault-token/main.tf @@ -0,0 +1,57 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + coder = { + source = "coder/coder" + version = ">= 0.12.4" + } + } +} + +# Add required variables for your modules and remove any unneeded variables +variable "agent_id" { + type = string + description = "The ID of a Coder agent." +} + +variable "vault_addr" { + type = string + description = "The address of the Vault server." +} + +variable "vault_cli_version" { + type = string + description = "The version of Vault to install." + default = "latest" + validation { + condition = can(regex("^(latest|[0-9]+\\.[0-9]+\\.[0-9]+)$", var.vault_cli_version)) + error_message = "Vault version must be in the format 0.0.0 or latest" + } +} + +variable "vault_token" { + type = string + description = "The Vault token to use for authentication." +} + +data "coder_workspace" "me" {} + +resource "coder_script" "vault" { + agent_id = var.agent_id + display_name = "Vault (Token)" + icon = "/icon/vault.svg" + script = templatefile("${path.module}/run.sh", { + VAULT_ADDR : var.vault_addr, + VAULT_TOKEN : var.vault_token, + INSTALL_VERSION : var.vault_cli_version, + }) + run_on_start = true + start_blocks_login = true +} + +resource "coder_env" "vault_addr" { + agent_id = var.agent_id + name = "VAULT_ADDR" + value = var.vault_addr +} \ No newline at end of file diff --git a/vault-token/run.sh b/vault-token/run.sh new file mode 100644 index 00000000..eece906f --- /dev/null +++ b/vault-token/run.sh @@ -0,0 +1,92 @@ +#!/usr/bin/env sh + +# Convert all templated variables to shell variables +INSTALL_VERSION=${INSTALL_VERSION} +VAULT_ADDR=${VAULT_ADDR} +VAULT_TOKEN=${VAULT_TOKEN} + +fetch() { + dest="$1" + url="$2" + if command -v curl > /dev/null 2>&1; then + curl -sSL --fail "$${url}" -o "$${dest}" + elif command -v wget > /dev/null 2>&1; then + wget -O "$${dest}" "$${url}" + elif command -v busybox > /dev/null 2>&1; then + busybox wget -O "$${dest}" "$${url}" + else + printf "curl, wget, or busybox is not installed. Please install curl or wget in your image.\n" + exit 1 + fi +} + +unzip() { + if command -v unzip > /dev/null 2>&1; then + command unzip "$@" + elif command -v busybox > /dev/null 2>&1; then + busybox unzip "$@" + else + printf "unzip or busybox is not installed. Please install unzip in your image.\n" + exit 1 + fi +} + +# Fetch the latest version of Vault if INSTALL_VERSION is 'latest' +if [ "$${INSTALL_VERSION}" = "latest" ]; then + LATEST_VERSION=$(curl -s https://releases.hashicorp.com/vault/ | grep -oP 'vault/\K[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n 1) + printf "Latest version of Vault is %s.\n\n" "$${LATEST_VERSION}" + if [ -z "$${LATEST_VERSION}" ]; then + printf "Failed to determine the latest Vault version.\n" + exit 1 + fi + VERSION=$${LATEST_VERSION} +fi + +# Check if the vault CLI is installed and has the correct version +installation_needed=1 +if command -v vault > /dev/null 2>&1; then + CURRENT_VERSION=$(vault version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') + if [ "$${CURRENT_VERSION}" = "$${INSTALL_VERSION}" ]; then + printf "Vault version %s is already installed and up-to-date.\n\n" "$${CURRENT_VERSION}" + installation_needed=0 + fi +fi + +if [ $${installation_needed} -eq 1 ]; then + # Download and install Vault + if [ -z "$${CURRENT_VERSION}" ]; then + printf "Installing Vault CLI ...\n\n" + else + printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "$${VERSION}" + fi + fetch vault.zip "https://releases.hashicorp.com/vault/$${VERSION}/vault_$${VERSION}_linux_amd64.zip" + if [ $? -ne 0 ]; then + printf "Failed to download Vault.\n" + exit 1 + fi + unzip vault.zip + if [ $? -ne 0 ]; then + printf "Failed to unzip Vault.\n" + exit 1 + fi + rm vault.zip + if sudo mv vault /usr/local/bin/vault 2> /dev/null; then + printf "Vault installed successfully!\n\n" + else + mkdir -p ~/.local/bin + mv vault ~/.local/bin/vault + if [ ! -f ~/.local/bin/vault ]; then + printf "Failed to move Vault to local bin.\n" + exit 1 + fi + printf "Please add ~/.local/bin to your PATH to use vault CLI.\n" + fi +fi + +# Login to vault using the configured token +export VAULT_ADDR="$${VAULT_ADDR}" +export VAULT_TOKEN="$${VAULT_TOKEN}" +printf "🔑 Authenticating with Vault ...\n\n" +vault login -no-print token="$${VAULT_TOKEN}" +printf "🥳 Vault authentication complete!\n\n" +printf "You can now use Vault CLI to access secrets.\n" From 48de7e436ce6cd45635fab502cb4ebc7a69d339a Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Fri, 2 Feb 2024 12:56:02 +0300 Subject: [PATCH 02/17] remove TOKEN and ADDR from script --- vault-token/run.sh | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/vault-token/run.sh b/vault-token/run.sh index eece906f..dca40830 100644 --- a/vault-token/run.sh +++ b/vault-token/run.sh @@ -1,9 +1,7 @@ -#!/usr/bin/env sh +#!/usr/bin/env bash # Convert all templated variables to shell variables INSTALL_VERSION=${INSTALL_VERSION} -VAULT_ADDR=${VAULT_ADDR} -VAULT_TOKEN=${VAULT_TOKEN} fetch() { dest="$1" @@ -82,11 +80,3 @@ if [ $${installation_needed} -eq 1 ]; then printf "Please add ~/.local/bin to your PATH to use vault CLI.\n" fi fi - -# Login to vault using the configured token -export VAULT_ADDR="$${VAULT_ADDR}" -export VAULT_TOKEN="$${VAULT_TOKEN}" -printf "🔑 Authenticating with Vault ...\n\n" -vault login -no-print token="$${VAULT_TOKEN}" -printf "🥳 Vault authentication complete!\n\n" -printf "You can now use Vault CLI to access secrets.\n" From 36b4983eb034248ff716ec07e001df7ce59aec16 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Fri, 2 Feb 2024 12:58:06 +0300 Subject: [PATCH 03/17] use coder_env --- vault-token/main.tf | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/vault-token/main.tf b/vault-token/main.tf index 8105054b..94517d10 100644 --- a/vault-token/main.tf +++ b/vault-token/main.tf @@ -20,6 +20,12 @@ variable "vault_addr" { description = "The address of the Vault server." } +variable "vault_token" { + type = string + description = "The Vault token to use for authentication." + sensitive = true +} + variable "vault_cli_version" { type = string description = "The version of Vault to install." @@ -30,11 +36,6 @@ variable "vault_cli_version" { } } -variable "vault_token" { - type = string - description = "The Vault token to use for authentication." -} - data "coder_workspace" "me" {} resource "coder_script" "vault" { @@ -42,8 +43,6 @@ resource "coder_script" "vault" { display_name = "Vault (Token)" icon = "/icon/vault.svg" script = templatefile("${path.module}/run.sh", { - VAULT_ADDR : var.vault_addr, - VAULT_TOKEN : var.vault_token, INSTALL_VERSION : var.vault_cli_version, }) run_on_start = true @@ -54,4 +53,10 @@ resource "coder_env" "vault_addr" { agent_id = var.agent_id name = "VAULT_ADDR" value = var.vault_addr -} \ No newline at end of file +} + +resource "coder_env" "vault_token" { + agent_id = var.agent_id + name = "VAULT_TOKEN" + value = var.vault_token +} From 74fdbf5fd0cda84aece1f7eefd4a871ae85ea883 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Fri, 2 Feb 2024 13:16:13 +0300 Subject: [PATCH 04/17] Update README.md --- vault-token/README.md | 44 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 7 deletions(-) diff --git a/vault-token/README.md b/vault-token/README.md index 6d91d75b..126cec51 100644 --- a/vault-token/README.md +++ b/vault-token/README.md @@ -3,6 +3,7 @@ display_name: Hashicorp Vault Integration (Token) description: Authenticates with Vault using Token icon: ../.icons/vault.svg maintainer_github: coder +partner_github: hashicorp verified: true tags: [helper, integration, vault, token] --- @@ -12,11 +13,17 @@ tags: [helper, integration, vault, token] This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces using a [Vault token](https://developer.hashicorp.com/vault/docs/auth/token). ```tf +variable "vault_token" { + type = string + description = "The Vault token to use for authentication." + sensitive = true +} + module "vault" { source = "registry.coder.com/modules/vault-token/coder" - version = "1.0.2" + version = "1.0.3" agent_id = coder_agent.example.id - vault_token = "s.1234567890" + vault_token = var.token vault_addr = "https://vault.example.com" } ``` @@ -24,31 +31,54 @@ module "vault" { Then you can use the Vault CLI in your workspaces to fetch secrets from Vault: ```shell -vault kv get -mount=secret my-secret +vault kv get -mount=coder my-secret ``` or using the Vault API: ```shell -curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/secret/data/my-secret" +curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/data/my-secret" ``` -![Vault login](../.images/vault-login.png) - ## Configuration To configure the Vault module, you must create a Vault token with the the required permissions and configure the module with the token and Vault address. +1. Create a vault policy `read-coder-secrets.hcl` with read access to the secret mount you need your developers to access. + ```hcl + path "coder/data/*" { + capabilities = ["read"] + } + path "coder/metadata/*" { + capabilities = ["read"] + } + ``` + ```shell + vault policy write read-coder-secrets ead-coder-secrets.hcl + ``` +2. Create a token using this policy. + ```shell + vault token create -policy="read-coder-secrets" + ``` +3. Copy the generated and use in your template. + ## Examples ### Configure Vault integration and install a specific version of the Vault CLI ```tf +variable "vault_token" { + type = string + description = "The Vault token to use for authentication." + sensitive = true +} + module "vault" { source = "registry.coder.com/modules/vault-token/coder" - version = "1.0.2" + version = "1.0.3" agent_id = coder_agent.example.id vault_addr = "https://vault.example.com" + vault_token = var.token vault_cli_version = "1.15.0" } ``` From e56dec2afc6318d81b49466719f189edc7426fe8 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Fri, 2 Feb 2024 13:24:57 +0300 Subject: [PATCH 05/17] Fix typo in README.md --- vault-token/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault-token/README.md b/vault-token/README.md index 126cec51..b7d23398 100644 --- a/vault-token/README.md +++ b/vault-token/README.md @@ -60,7 +60,7 @@ To configure the Vault module, you must create a Vault token with the the requir ```shell vault token create -policy="read-coder-secrets" ``` -3. Copy the generated and use in your template. +3. Copy the generated token and use in your template. ## Examples From 8a09be8b71caf36ddfacaf05d4256a0807a3db65 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Fri, 2 Feb 2024 14:01:05 +0300 Subject: [PATCH 06/17] refactor --- vault-token/README.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/vault-token/README.md b/vault-token/README.md index b7d23398..3ad6ba12 100644 --- a/vault-token/README.md +++ b/vault-token/README.md @@ -44,17 +44,16 @@ curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/data/my-s To configure the Vault module, you must create a Vault token with the the required permissions and configure the module with the token and Vault address. -1. Create a vault policy `read-coder-secrets.hcl` with read access to the secret mount you need your developers to access. - ```hcl - path "coder/data/*" { - capabilities = ["read"] - } - path "coder/metadata/*" { - capabilities = ["read"] - } - ``` +1. Create a vault policy with read access to the secret mount you need your developers to access. ```shell - vault policy write read-coder-secrets ead-coder-secrets.hcl + vault policy write read-coder-secrets - < Date: Fri, 2 Feb 2024 14:40:22 +0300 Subject: [PATCH 07/17] add tests --- vault-token/main.test.ts | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 vault-token/main.test.ts diff --git a/vault-token/main.test.ts b/vault-token/main.test.ts new file mode 100644 index 00000000..427a88b3 --- /dev/null +++ b/vault-token/main.test.ts @@ -0,0 +1,12 @@ +import { describe } from "bun:test"; +import { runTerraformInit, testRequiredVariables } from "../test"; + +describe("vault-token", async () => { + await runTerraformInit(import.meta.dir); + + testRequiredVariables(import.meta.dir, { + agent_id: "foo", + vault_addr: "foo", + vault_token: "foo", + }); +}); \ No newline at end of file From b3069d26b64af06745ae966c2ba6bbb7ce13154c Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Fri, 2 Feb 2024 23:33:17 +0300 Subject: [PATCH 08/17] fmt --- vault-token/main.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault-token/main.test.ts b/vault-token/main.test.ts index 427a88b3..d5134252 100644 --- a/vault-token/main.test.ts +++ b/vault-token/main.test.ts @@ -9,4 +9,4 @@ describe("vault-token", async () => { vault_addr: "foo", vault_token: "foo", }); -}); \ No newline at end of file +}); From d0ae47e9fd754d1460c69550f5971e0c13e0f5dd Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Sat, 3 Feb 2024 02:00:11 +0300 Subject: [PATCH 09/17] update README --- vault-token/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vault-token/README.md b/vault-token/README.md index 3ad6ba12..6c406c4b 100644 --- a/vault-token/README.md +++ b/vault-token/README.md @@ -31,13 +31,13 @@ module "vault" { Then you can use the Vault CLI in your workspaces to fetch secrets from Vault: ```shell -vault kv get -mount=coder my-secret +vault kv get -namespace=coder -mount=secrets coder ``` or using the Vault API: ```shell -curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/data/my-secret" +curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/secrets/data/coder" ``` ## Configuration From a6c43b55cf2dcc853ddfb1be13b85b9cbf59a437 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 7 Feb 2024 18:35:35 +0300 Subject: [PATCH 10/17] Apply suggestions from code review Co-authored-by: Mathias Fredriksson --- vault-token/run.sh | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/vault-token/run.sh b/vault-token/run.sh index dca40830..f9ecf904 100644 --- a/vault-token/run.sh +++ b/vault-token/run.sh @@ -37,7 +37,7 @@ if [ "$${INSTALL_VERSION}" = "latest" ]; then printf "Failed to determine the latest Vault version.\n" exit 1 fi - VERSION=$${LATEST_VERSION} + INSTALL_VERSION=$${LATEST_VERSION} fi # Check if the vault CLI is installed and has the correct version @@ -55,15 +55,14 @@ if [ $${installation_needed} -eq 1 ]; then if [ -z "$${CURRENT_VERSION}" ]; then printf "Installing Vault CLI ...\n\n" else - printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "$${VERSION}" + printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "$${INSTALL_VERSION}" fi - fetch vault.zip "https://releases.hashicorp.com/vault/$${VERSION}/vault_$${VERSION}_linux_amd64.zip" + fetch vault.zip "https://releases.hashicorp.com/vault/$${INSTALL_VERSION}/vault_$${INSTALL_VERSION}_linux_amd64.zip" if [ $? -ne 0 ]; then printf "Failed to download Vault.\n" exit 1 fi - unzip vault.zip - if [ $? -ne 0 ]; then + if ! unzip vault.zip; then printf "Failed to unzip Vault.\n" exit 1 fi @@ -72,8 +71,7 @@ if [ $${installation_needed} -eq 1 ]; then printf "Vault installed successfully!\n\n" else mkdir -p ~/.local/bin - mv vault ~/.local/bin/vault - if [ ! -f ~/.local/bin/vault ]; then + if ! mv vault ~/.local/bin/vault; then printf "Failed to move Vault to local bin.\n" exit 1 fi From 64c3de4203bccecfd9d13f86e52822b37e98028a Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 13 Feb 2024 12:18:53 +0300 Subject: [PATCH 11/17] review suggestions --- vault-token/run.sh | 100 +++++++++++++++++++++++++-------------------- 1 file changed, 55 insertions(+), 45 deletions(-) diff --git a/vault-token/run.sh b/vault-token/run.sh index f9ecf904..4d0da444 100644 --- a/vault-token/run.sh +++ b/vault-token/run.sh @@ -14,67 +14,77 @@ fetch() { busybox wget -O "$${dest}" "$${url}" else printf "curl, wget, or busybox is not installed. Please install curl or wget in your image.\n" - exit 1 + return 1 fi } -unzip() { +unzip_safe() { if command -v unzip > /dev/null 2>&1; then command unzip "$@" elif command -v busybox > /dev/null 2>&1; then busybox unzip "$@" else printf "unzip or busybox is not installed. Please install unzip in your image.\n" - exit 1 + return 1 fi } -# Fetch the latest version of Vault if INSTALL_VERSION is 'latest' -if [ "$${INSTALL_VERSION}" = "latest" ]; then - LATEST_VERSION=$(curl -s https://releases.hashicorp.com/vault/ | grep -oP 'vault/\K[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n 1) - printf "Latest version of Vault is %s.\n\n" "$${LATEST_VERSION}" - if [ -z "$${LATEST_VERSION}" ]; then - printf "Failed to determine the latest Vault version.\n" - exit 1 +install() { + # Fetch the latest version of Vault if INSTALL_VERSION is 'latest' + if [ "$${INSTALL_VERSION}" = "latest" ]; then + LATEST_VERSION=$(curl -s https://releases.hashicorp.com/vault/ | grep -oP 'vault/\K[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n 1) + printf "Latest version of Vault is %s.\n\n" "$${LATEST_VERSION}" + if [ -z "$${LATEST_VERSION}" ]; then + printf "Failed to determine the latest Vault version.\n" + return 1 + fi + INSTALL_VERSION=$${LATEST_VERSION} fi - INSTALL_VERSION=$${LATEST_VERSION} -fi -# Check if the vault CLI is installed and has the correct version -installation_needed=1 -if command -v vault > /dev/null 2>&1; then - CURRENT_VERSION=$(vault version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') - if [ "$${CURRENT_VERSION}" = "$${INSTALL_VERSION}" ]; then - printf "Vault version %s is already installed and up-to-date.\n\n" "$${CURRENT_VERSION}" - installation_needed=0 + # Check if the vault CLI is installed and has the correct version + installation_needed=1 + if command -v vault > /dev/null 2>&1; then + CURRENT_VERSION=$(vault version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') + if [ "$${CURRENT_VERSION}" = "$${INSTALL_VERSION}" ]; then + printf "Vault version %s is already installed and up-to-date.\n\n" "$${CURRENT_VERSION}" + installation_needed=0 + fi fi -fi -if [ $${installation_needed} -eq 1 ]; then - # Download and install Vault - if [ -z "$${CURRENT_VERSION}" ]; then - printf "Installing Vault CLI ...\n\n" - else - printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "$${INSTALL_VERSION}" - fi - fetch vault.zip "https://releases.hashicorp.com/vault/$${INSTALL_VERSION}/vault_$${INSTALL_VERSION}_linux_amd64.zip" - if [ $? -ne 0 ]; then - printf "Failed to download Vault.\n" - exit 1 - fi - if ! unzip vault.zip; then - printf "Failed to unzip Vault.\n" - exit 1 - fi - rm vault.zip - if sudo mv vault /usr/local/bin/vault 2> /dev/null; then - printf "Vault installed successfully!\n\n" - else - mkdir -p ~/.local/bin - if ! mv vault ~/.local/bin/vault; then - printf "Failed to move Vault to local bin.\n" - exit 1 + if [ $${installation_needed} -eq 1 ]; then + # Download and install Vault + if [ -z "$${CURRENT_VERSION}" ]; then + printf "Installing Vault CLI ...\n\n" + else + printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "${INSTALL_VERSION}" + fi + fetch vault.zip "https://releases.hashicorp.com/vault/$${INSTALL_VERSION}/vault_$${INSTALL_VERSION}_linux_amd64.zip" + if [ $? -ne 0 ]; then + printf "Failed to download Vault.\n" + return 1 + fi + if ! unzip_safe vault.zip; then + printf "Failed to unzip Vault.\n" + return 1 + fi + rm vault.zip + if sudo mv vault /usr/local/bin/vault 2> /dev/null; then + printf "Vault installed successfully!\n\n" + else + mkdir -p ~/.local/bin + if ! mv vault ~/.local/bin/vault; then + printf "Failed to move Vault to local bin.\n" + return 1 + fi + printf "Please add ~/.local/bin to your PATH to use vault CLI.\n" fi - printf "Please add ~/.local/bin to your PATH to use vault CLI.\n" fi +} + +TMP=$(mktemp -d) +pushd "${TMP}" > /dev/null +if ! install; then + printf "Installation failed\n" fi +popd > /dev/null +rm -rf "${TMP}" From fa95715f96872d816f6c1c54ed620dbfbce9a099 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 13 Feb 2024 12:20:29 +0300 Subject: [PATCH 12/17] review suggestions --- vault-github/run.sh | 98 ++++++++++++++++++++++++--------------------- 1 file changed, 53 insertions(+), 45 deletions(-) diff --git a/vault-github/run.sh b/vault-github/run.sh index 0f54a95f..4385ecfb 100644 --- a/vault-github/run.sh +++ b/vault-github/run.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/usr/bin/env bash # Convert all templated variables to shell variables INSTALL_VERSION=${INSTALL_VERSION} @@ -31,57 +31,65 @@ unzip() { fi } -# Fetch the latest version of Vault if INSTALL_VERSION is 'latest' -if [ "$${INSTALL_VERSION}" = "latest" ]; then - LATEST_VERSION=$(curl -s https://releases.hashicorp.com/vault/ | grep -oP 'vault/\K[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n 1) - printf "Latest version of Vault is %s.\n\n" "$${LATEST_VERSION}" - if [ -z "$${LATEST_VERSION}" ]; then - printf "Failed to determine the latest Vault version.\n" - exit 1 +install() { + # Fetch the latest version of Vault if INSTALL_VERSION is 'latest' + if [ "$${INSTALL_VERSION}" = "latest" ]; then + LATEST_VERSION=$(curl -s https://releases.hashicorp.com/vault/ | grep -oP 'vault/\K[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n 1) + printf "Latest version of Vault is %s.\n\n" "$${LATEST_VERSION}" + if [ -z "$${LATEST_VERSION}" ]; then + printf "Failed to determine the latest Vault version.\n" + return 1 + fi + INSTALL_VERSION=$${LATEST_VERSION} fi - VERSION=$${LATEST_VERSION} -fi -# Check if the vault CLI is installed and has the correct version -installation_needed=1 -if command -v vault > /dev/null 2>&1; then - CURRENT_VERSION=$(vault version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') - if [ "$${CURRENT_VERSION}" = "$${INSTALL_VERSION}" ]; then - printf "Vault version %s is already installed and up-to-date.\n\n" "$${CURRENT_VERSION}" - installation_needed=0 + # Check if the vault CLI is installed and has the correct version + installation_needed=1 + if command -v vault > /dev/null 2>&1; then + CURRENT_VERSION=$(vault version | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') + if [ "$${CURRENT_VERSION}" = "$${INSTALL_VERSION}" ]; then + printf "Vault version %s is already installed and up-to-date.\n\n" "$${CURRENT_VERSION}" + installation_needed=0 + fi fi -fi -if [ $${installation_needed} -eq 1 ]; then - # Download and install Vault - if [ -z "$${CURRENT_VERSION}" ]; then - printf "Installing Vault CLI ...\n\n" - else - printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "$${VERSION}" - fi - fetch vault.zip "https://releases.hashicorp.com/vault/$${VERSION}/vault_$${VERSION}_linux_amd64.zip" - if [ $? -ne 0 ]; then - printf "Failed to download Vault.\n" - exit 1 - fi - unzip vault.zip - if [ $? -ne 0 ]; then - printf "Failed to unzip Vault.\n" - exit 1 - fi - rm vault.zip - if sudo mv vault /usr/local/bin/vault 2> /dev/null; then - printf "Vault installed successfully!\n\n" - else - mkdir -p ~/.local/bin - mv vault ~/.local/bin/vault - if [ ! -f ~/.local/bin/vault ]; then - printf "Failed to move Vault to local bin.\n" - exit 1 + if [ $${installation_needed} -eq 1 ]; then + # Download and install Vault + if [ -z "$${CURRENT_VERSION}" ]; then + printf "Installing Vault CLI ...\n\n" + else + printf "Upgrading Vault CLI from version %s to %s ...\n\n" "$${CURRENT_VERSION}" "${INSTALL_VERSION}" + fi + fetch vault.zip "https://releases.hashicorp.com/vault/$${INSTALL_VERSION}/vault_$${INSTALL_VERSION}_linux_amd64.zip" + if [ $? -ne 0 ]; then + printf "Failed to download Vault.\n" + return 1 + fi + if ! unzip_safe vault.zip; then + printf "Failed to unzip Vault.\n" + return 1 + fi + rm vault.zip + if sudo mv vault /usr/local/bin/vault 2> /dev/null; then + printf "Vault installed successfully!\n\n" + else + mkdir -p ~/.local/bin + if ! mv vault ~/.local/bin/vault; then + printf "Failed to move Vault to local bin.\n" + return 1 + fi + printf "Please add ~/.local/bin to your PATH to use vault CLI.\n" fi - printf "Please add ~/.local/bin to your PATH to use vault CLI.\n" fi +} + +TMP=$(mktemp -d) +pushd "${TMP}" > /dev/null +if ! install; then + printf "Installation failed\n" fi +popd > /dev/null +rm -rf "${TMP}" # Authenticate with Vault printf "🔑 Authenticating with Vault ...\n\n" From 8b66e52a8bdecf52dd66c54ab38bb6145928f07e Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 13 Feb 2024 12:26:06 +0300 Subject: [PATCH 13/17] fix tests --- vault-github/run.sh | 4 ++-- vault-token/run.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/vault-github/run.sh b/vault-github/run.sh index 4385ecfb..7ba1f296 100644 --- a/vault-github/run.sh +++ b/vault-github/run.sh @@ -84,12 +84,12 @@ install() { } TMP=$(mktemp -d) -pushd "${TMP}" > /dev/null +pushd "$${TMP}" > /dev/null if ! install; then printf "Installation failed\n" fi popd > /dev/null -rm -rf "${TMP}" +rm -rf "$${TMP}" # Authenticate with Vault printf "🔑 Authenticating with Vault ...\n\n" diff --git a/vault-token/run.sh b/vault-token/run.sh index 4d0da444..3dbcca08 100644 --- a/vault-token/run.sh +++ b/vault-token/run.sh @@ -82,9 +82,9 @@ install() { } TMP=$(mktemp -d) -pushd "${TMP}" > /dev/null +pushd "$${TMP}" > /dev/null if ! install; then printf "Installation failed\n" fi popd > /dev/null -rm -rf "${TMP}" +rm -rf "$${TMP}" From cb8c297137c28ea1748b845abc4c01625d4fd03b Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 13 Feb 2024 15:06:13 +0300 Subject: [PATCH 14/17] suggestions --- vault-github/run.sh | 12 +++++++----- vault-token/run.sh | 12 +++++++----- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/vault-github/run.sh b/vault-github/run.sh index 7ba1f296..68143848 100644 --- a/vault-github/run.sh +++ b/vault-github/run.sh @@ -84,12 +84,14 @@ install() { } TMP=$(mktemp -d) -pushd "$${TMP}" > /dev/null -if ! install; then - printf "Installation failed\n" +if ! ( + cd $TMP + install +); then + echo "Failed to install Vault CLI." + exit 1 fi -popd > /dev/null -rm -rf "$${TMP}" +rm -rf $TMP # Authenticate with Vault printf "🔑 Authenticating with Vault ...\n\n" diff --git a/vault-token/run.sh b/vault-token/run.sh index 3dbcca08..decb2dc6 100644 --- a/vault-token/run.sh +++ b/vault-token/run.sh @@ -82,9 +82,11 @@ install() { } TMP=$(mktemp -d) -pushd "$${TMP}" > /dev/null -if ! install; then - printf "Installation failed\n" +if ! ( + cd $TMP + install +); then + echo "Failed to install Vault CLI." + exit 1 fi -popd > /dev/null -rm -rf "$${TMP}" +rm -rf $TMP From d8b519e0e94ae43284109ab3b5bcaf34c13f8fd3 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 13 Feb 2024 15:08:12 +0300 Subject: [PATCH 15/17] Add return statement to install function --- vault-github/run.sh | 1 + vault-token/run.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/vault-github/run.sh b/vault-github/run.sh index 68143848..bf2847bc 100644 --- a/vault-github/run.sh +++ b/vault-github/run.sh @@ -81,6 +81,7 @@ install() { printf "Please add ~/.local/bin to your PATH to use vault CLI.\n" fi fi + return 0 } TMP=$(mktemp -d) diff --git a/vault-token/run.sh b/vault-token/run.sh index decb2dc6..357a24a4 100644 --- a/vault-token/run.sh +++ b/vault-token/run.sh @@ -79,6 +79,7 @@ install() { printf "Please add ~/.local/bin to your PATH to use vault CLI.\n" fi fi + return 0 } TMP=$(mktemp -d) From 3d35e45621d4bb2c715f470cca8db575c5550ae3 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 13 Feb 2024 16:02:22 +0300 Subject: [PATCH 16/17] Apply suggestions from code review Co-authored-by: Mathias Fredriksson --- vault-github/run.sh | 4 ++-- vault-token/run.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/vault-github/run.sh b/vault-github/run.sh index bf2847bc..6998b8d0 100644 --- a/vault-github/run.sh +++ b/vault-github/run.sh @@ -86,13 +86,13 @@ install() { TMP=$(mktemp -d) if ! ( - cd $TMP + cd "$TMP" install ); then echo "Failed to install Vault CLI." exit 1 fi -rm -rf $TMP +rm -rf "$TMP" # Authenticate with Vault printf "🔑 Authenticating with Vault ...\n\n" diff --git a/vault-token/run.sh b/vault-token/run.sh index 357a24a4..a4edcd10 100644 --- a/vault-token/run.sh +++ b/vault-token/run.sh @@ -84,10 +84,10 @@ install() { TMP=$(mktemp -d) if ! ( - cd $TMP + cd "$TMP" install ); then echo "Failed to install Vault CLI." exit 1 fi -rm -rf $TMP +rm -rf "$TMP" From 9b3b139e5f77c1725d32372158838d4c978f56e5 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 14 Feb 2024 00:55:59 +0300 Subject: [PATCH 17/17] fixup --- vault-github/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault-github/run.sh b/vault-github/run.sh index 6998b8d0..b0f9e0fb 100644 --- a/vault-github/run.sh +++ b/vault-github/run.sh @@ -20,7 +20,7 @@ fetch() { fi } -unzip() { +unzip_safe() { if command -v unzip > /dev/null 2>&1; then command unzip "$@" elif command -v busybox > /dev/null 2>&1; then