{% from "vault/map.jinja" import vault with context %} # using archive.extracted causes: 'Comment: Failed to cache https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip: [Errno 1] _ssl.c:493: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version' vault packages: pkg.installed: - names: - unzip - curl {% if vault.secure_download %} {% if grains['os'] == 'CentOS' or grains['os'] == 'Amazon' %} - gnupg2 - perl-Digest-SHA {% elif grains['os'] == 'Ubuntu' %} - gnupg - libdigest-sha-perl {% endif %} {% endif %} download vault: cmd.run: - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_amd64.zip -o /tmp/vault_{{ vault.version }}_linux_amd64.zip - creates: /tmp/vault_{{ vault.version }}_linux_amd64.zip {% if vault.secure_download %} download shasums: cmd.run: - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS -o /tmp/vault_{{ vault.version }}_SHA256SUMS - creates: /tmp/vault_{{ vault.version }}_SHA256SUMS download shasums sig: cmd.run: - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS.sig -o /tmp/vault_{{ vault.version }}_SHA256SUMS.sig - creates: /tmp/vault_{{ vault.version }}_SHA256SUMS.sig /tmp/hashicorp.asc: file.managed: - source: salt://vault/files/hashicorp.asc.jinja - template: jinja import key: cmd.run: - name: gpg --import /tmp/hashicorp.asc - unless: gpg --list-keys {{ vault.hashicorp_key_id }} - requires: - file: /tmp/hashicorp.asc - cmd: vault packages verify shasums sig: cmd.run: - name: gpg --verify /tmp/vault_{{ vault.version }}_SHA256SUMS.sig /tmp/vault_{{ vault.version }}_SHA256SUMS - require: - cmd: download shasums - cmd: import key verify vault: cmd.run: - name: "shasum -a 256 -c vault_{{ vault.version }}_SHA256SUMS 2>&1 | grep -q \"vault_{{ vault.version }}_linux_amd64.zip: OK\"" - cwd: /tmp - require: - cmd: download vault - cmd: verify shasums sig {% endif %} install vault: cmd.run: - name: unzip /tmp/vault_{{ vault.version }}_linux_amd64.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault - require: - cmd: download vault - pkg: unzip {% if vault.secure_download %} - cmd: verify vault {% endif %} - creates: /usr/local/bin/vault vault set cap mlock: cmd.run: - name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault" - onchanges: - cmd: install vault