feat: support optional installation of vault enterprise binary (#582)

## Description When using the SAML auth method with Vault and authenticating via CLI it is required to use the enterprise version of the binary, as SAML support is not built into the non enterprise version of the CLI. This PR adds an optional `enterprise` variable to support this. @matifali can you let me know the appropriate tag command to run to release this once approved, please? ## Type of Change - [ ] New module - [ ] New template - [ ] Bug fix - [x] Feature/enhancement - [ ] Documentation - [ ] Other ## Module Information **Path:** `registry/coder/modules/vault-cli` **New version:** `v1.1.0` **Breaking change:** [ ] Yes [x] No ## Testing & Validation - [ ] Tests pass (`bun test`) - [ ] Code formatted (`bun fmt`) - [x] Changes tested locally ## Related Issues None
2026-06-02 20:48:14 +00:00 · 2025-12-09 00:56:03 +11:00
parent 2cfbe5f69c
commit 3ae8c7dcff
4 changed files with 50 additions and 8 deletions
@@ -13,7 +13,7 @@ Installs the [Vault](https://www.vaultproject.io/) CLI and optionally configures
 ```tf
 module "vault_cli" {
  source     = "registry.coder.com/coder/vault-cli/coder"
-  version    = "1.0.0"
+  version    = "1.1.0"
  agent_id   = coder_agent.example.id
  vault_addr = "https://vault.example.com"
 }
@@ -34,7 +34,7 @@ If you have a Vault token, you can provide it to automatically configure authent
 ```tf
 module "vault_cli" {
  source      = "registry.coder.com/coder/vault-cli/coder"
-  version     = "1.0.0"
+  version     = "1.1.0"
  agent_id    = coder_agent.example.id
  vault_addr  = "https://vault.example.com"
  vault_token = var.vault_token # Optional
@@ -50,7 +50,7 @@ Install the Vault CLI without any authentication:
 ```tf
 module "vault_cli" {
  source     = "registry.coder.com/coder/vault-cli/coder"
-  version    = "1.0.0"
+  version    = "1.1.0"
  agent_id   = coder_agent.example.id
  vault_addr = "https://vault.example.com"
 }
@@ -61,7 +61,7 @@ module "vault_cli" {
 ```tf
 module "vault_cli" {
  source            = "registry.coder.com/coder/vault-cli/coder"
-  version           = "1.0.0"
+  version           = "1.1.0"
  agent_id          = coder_agent.example.id
  vault_addr        = "https://vault.example.com"
  vault_cli_version = "1.15.0"
@@ -73,7 +73,7 @@ module "vault_cli" {
 ```tf
 module "vault_cli" {
  source      = "registry.coder.com/coder/vault-cli/coder"
-  version     = "1.0.0"
+  version     = "1.1.0"
  agent_id    = coder_agent.example.id
  vault_addr  = "https://vault.example.com"
  install_dir = "/home/coder/bin"
@@ -87,7 +87,7 @@ For Vault Enterprise users who need to specify a namespace:
 ```tf
 module "vault_cli" {
  source          = "registry.coder.com/coder/vault-cli/coder"
-  version         = "1.0.0"
+  version         = "1.1.0"
  agent_id        = coder_agent.example.id
  vault_addr      = "https://vault.example.com"
  vault_token     = var.vault_token
@@ -95,6 +95,20 @@ module "vault_cli" {
 }
 ```

+### Vault Enterprise Binary
+
+Install the Vault Enterprise binary. This is required if using SAML authentication to Vault:
+
+```tf
+module "vault_cli" {
+  source     = "registry.coder.com/coder/vault-cli/coder"
+  version    = "1.1.0"
+  agent_id   = coder_agent.example.id
+  vault_addr = "https://vault.example.com"
+  enterprise = true
+}
+```
+
 ## Related Modules

 For more advanced authentication methods, see:
@@ -48,6 +48,12 @@ variable "vault_namespace" {
  default     = null
 }

+variable "enterprise" {
+  type        = bool
+  description = "Whether to install the enterprise version of the Vault CLI. Required if using SAML authentication to Vault."
+  default     = false
+}
+
 data "coder_workspace" "me" {}

 resource "coder_script" "vault_cli" {
@@ -59,6 +65,7 @@ resource "coder_script" "vault_cli" {
    VAULT_TOKEN       = var.vault_token
    INSTALL_DIR       = var.install_dir
    VAULT_CLI_VERSION = var.vault_cli_version
+    ENTERPRISE        = var.enterprise
  })
  run_on_start       = true
  start_blocks_login = true
@@ -163,3 +163,14 @@ run "test_vault_cli_with_token_and_namespace" {
    error_message = "VAULT_NAMESPACE should match the provided vault_namespace"
  }
 }
+
+run "test_vault_cli_enterprise" {
+  variables {
+    enterprise = true
+  }
+
+  assert {
+    condition     = resource.coder_script.vault_cli.display_name == "Vault CLI"
+    error_message = "Display name should be 'Vault CLI'"
+  }
+}
@@ -5,6 +5,7 @@ VAULT_ADDR=${VAULT_ADDR}
 VAULT_TOKEN=${VAULT_TOKEN}
 INSTALL_DIR=${INSTALL_DIR}
 VAULT_CLI_VERSION=${VAULT_CLI_VERSION}
+ENTERPRISE=${ENTERPRISE}

 # Fetch URL content. If dest is provided, write to file; otherwise output to stdout.
 # Usage: fetch <url> [dest]
@@ -75,9 +76,18 @@ install() {

  # Fetch release information from HashiCorp API
  if [ "$${VAULT_CLI_VERSION}" = "latest" ]; then
-    API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest"
+    if [ "$${ENTERPRISE}" = "true" ]; then
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest?license_class=enterprise"
+    else
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest"
+    fi
  else
-    API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}"
+    # For specific version, append +ent suffix for enterprise
+    if [ "$${ENTERPRISE}" = "true" ]; then
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}+ent"
+    else
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}"
+    fi
  fi

  API_RESPONSE=$(fetch "$${API_URL}")