feat: add vault-cli module with optional token configuration #575
+556
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
matifali
force-pushed
the
vault-optional-token-config
branch
3 times, most recently
from
2c450c7 to
060db3f
Compare
matifali
force-pushed
the
vault-optional-token-config
branch
2 times, most recently
from
d5811bc to
c8a597c
Compare
Copilot finished reviewing on behalf of
matifali
December 2, 2025 20:04
matifali
force-pushed
the
vault-optional-token-config
branch
from
c8a597c to
3ae221e
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a new vault-cli module that provides Vault CLI installation with optional token and namespace configuration. The module serves as a foundational component intended to reduce code duplication across existing vault modules (vault-github, vault-jwt, vault-token) in future updates.
Key Changes:
- Adds Vault CLI installation with automatic version detection and multi-OS support
- Implements optional token and namespace authentication via environment variables
- Introduces semantic version validation for the Vault CLI version parameter
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 9 comments.
| File | Description |
|---|---|
| registry/coder/modules/vault-cli/run.sh | Bash script implementing Vault CLI installation with OS detection, architecture mapping, and custom installation directory support |
| registry/coder/modules/vault-cli/main.tf | Terraform module configuration with conditional environment variable resources for token and namespace |
| registry/coder/modules/vault-cli/main.tftest.hcl | Comprehensive test suite covering various configuration scenarios including token, namespace, versioning, and validation cases |
| registry/coder/modules/vault-cli/README.md | Module documentation with usage examples for different authentication scenarios and related module references |
matifali
force-pushed
the
vault-optional-token-config
branch
2 times, most recently
from
3a41d0d to
dba2115
Compare
rowansmithau
reviewed
Dec 2, 2025
matifali
force-pushed
the
vault-optional-token-config
branch
4 times, most recently
from
0cd22f6 to
fce6422
Compare
…ation Closes #50 This adds a new vault-cli module that: - Installs the Vault CLI using the official HashiCorp releases API - Uses jq to parse API response when available, falls back to sed - Fetches download URL directly from API (with fallback to constructed URL) - Optionally configures token authentication if provided - Optionally configures Vault Enterprise namespace if provided - Sets up VAULT_ADDR environment variable - Conditionally sets VAULT_TOKEN environment variable when token is provided - Conditionally sets VAULT_NAMESPACE environment variable when namespace is provided - Validates vault_cli_version must be 'latest' or a semantic version without v prefix The module can be used standalone for just CLI installation, or with a token and/or namespace for authentication scenarios.
matifali
force-pushed
the
vault-optional-token-config
branch
from
fce6422 to
e1f4a9a
Compare
Contributor
|
given run.sh has reqs like jq, unzip, wget/curl etc, maybe this should be noted in README.md so consumers know what is needed to use this upfront? |
rowansmithau
reviewed
Dec 3, 2025
Address review feedback: - Combine fetch_stdout() and fetch() into single fetch() function - fetch <url> outputs to stdout, fetch <url> <dest> writes to file - HTTP client detection is cached and reused for both cases - Fixes issue where curl was used explicitly for API calls but fetch() function supported wget/busybox
README validation requires Terraform code block in h1 section
…ments
The $${} syntax is Terraform template escaping which shellcheck
doesn't understand. Added disable directive for both case statements
in the fetch() function.
rowansmithau
approved these changes
Dec 4, 2025
Contributor
rowansmithau
left a comment
rowansmithau
left a comment
There was a problem hiding this comment.
tested myself locally with and without supplying a vault token, looks good to me
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #50
This adds a new
vault-climodule that:VAULT_ADDRenvironment variableVAULT_TOKENenvironment variable when token is providedVAULT_NAMESPACEenvironment variable when namespace is providedvault_cli_versionmust belatestor a semantic version (x.y.z)The module can be used standalone for just CLI installation, or with a token and/or namespace for authentication scenarios.
Follow-up
As a follow-up, we will update the other vault modules (
vault-github,vault-jwt,vault-token) to use this module for CLI installation, reducing code duplication.