--- - name: install vault binary when: not hc_vault_binary_installed or hc_vault_local_binary_version != hc_vault_version notify: - 'vault : restart vault service' block: - name: download archive ansible.builtin.get_url: url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip' dest: '{{ tmp_file.path }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip' mode: '0600' - name: download SHASUMs file signature ansible.builtin.get_url: url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS.sig' dest: '{{ tmp_file.path }}/shasums.sig' mode: '0600' - name: download SHASUMs files for vault releases ansible.builtin.get_url: url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS' dest: '{{ tmp_file.path }}/shasums.txt' mode: '0600' - name: Verify downloaded files integrity block: - name: check SHASUMs file integrity ansible.builtin.command: 'gpg --verify {{ tmp_file.path }}/shasums.sig {{ tmp_file.path }}/shasums.txt' - name: check SHASUM of the downloaded archive ansible.builtin.command: cmd: 'sha256sum -c {{ tmp_file.path }}/shasums.txt' chdir: '{{ tmp_file.path }}' register: shasum_check failed_when: 'search_string not in shasum_check.stdout' vars: search_string: 'vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip: OK' - name: install vault package become: true ansible.builtin.shell: | cd {{ tmp_file.path }} unzip -o vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip install -g {{ hc_vault_runas }} -o {{ hc_vault_runas }} -p -m 500 ./vault {{ hc_vault_binary_path }} {{ hc_vault_binary_path }} -h > /dev/null || (echo "Unexpected return, binary might be invalid")