hcp-ansible/roles/vault/tasks/install.yml

---
# task/install file for vault
- name: "Vault | Get latest release of vault"
  when: vault_version == 'latest'
  block:
    - name: "Vault | Get latest vault release from github api"
      ansible.builtin.uri:
        url: "{{ vault_github_api }}/hashicorp/vault/releases/latest"
        return_content: true
      register: _vault_latest_release

    - name: "Vault | Set wanted vault version to latest tag"
      ansible.builtin.set_fact:
        _vault_wanted_version: "{{ _vault_latest_release.json['tag_name']|regex_replace('v', '') }}"

- name: "Vault | Set wanted vault version to {{ vault_version }}"
  ansible.builtin.set_fact:
    _vault_wanted_version: "{{ vault_version|regex_replace('v', '') }}"
  when: vault_version != 'latest'

- name: "Vault | Get current vault version"
  block:
    - name: "Vault | Stat vault version file"
      ansible.builtin.stat:
        path: "{{ vault_config_dir }}/.version"
      changed_when: false
      check_mode: false
      register: _vault_version_file

    - name: "Vault | Get current vault version"
      ansible.builtin.slurp:
        src: "{{ _vault_version_file.stat.path }}"
      when:
        - _vault_version_file.stat.exists
        - _vault_version_file.stat.isreg
      register: _vault_current_version

- name: "Vault | Download and install vault binary"
  when:
    - _vault_current_version is not defined
      or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
    - not ansible_check_mode
  block:
    - name: "Vault | Set vault package name to download"
      ansible.builtin.set_fact:
        _vault_package_name: >-
          vault_{{ _vault_wanted_version }}_linux_{{ vault_deb_architecture_map[ansible_architecture] }}.zip          
        _vault_shasum_file_name: >-
          vault_{{ _vault_wanted_version }}_SHA256SUMS          

    - name: "Vault | Download checksum file for vault archive"
      ansible.builtin.get_url:
        url: "{{ vault_repository_url }}/{{ _vault_wanted_version }}/{{ _vault_shasum_file_name }}"
        dest: "/tmp/{{ _vault_shasum_file_name }}"
        mode: "0644"
      register: _vault_checksum_file
      until: _vault_checksum_file is succeeded
      retries: 5
      delay: 2
      check_mode: false

    - name: "Vault | Extract correct checksum from checksum file"
      ansible.builtin.command:
        cmd: 'grep "{{ _vault_package_name }}" /tmp/{{ _vault_shasum_file_name }}'
      changed_when: false
      register: _vault_expected_checksum_line

    - name: "Vault | Parse the expected checksum"
      ansible.builtin.set_fact:
        _vault_expected_checksum: "{{ _vault_expected_checksum_line.stdout.split()[0] }}"

    - name: "Vault | Download vault binary archive"
      ansible.builtin.get_url:
        url: "{{ vault_repository_url }}/{{ _vault_wanted_version }}/{{ _vault_package_name }}"
        dest: "/tmp/{{ _vault_package_name }}"
        mode: "0644"
        checksum: "sha256:{{ _vault_expected_checksum }}"
      register: _vault_binary_archive
      until: _vault_binary_archive is succeeded
      retries: 5
      delay: 2

    - name: "Vault | Create temporary directory for archive decompression"
      ansible.builtin.file:
        path: /tmp/vault
        state: directory
        mode: "0755"

    - name: "Vault | Unpack vault archive"
      ansible.builtin.unarchive:
        src: "/tmp/{{ _vault_package_name }}"
        dest: "/tmp/vault"
        owner: "{{ vault_user }}"
        group: "{{ vault_group }}"
        mode: "0755"
        remote_src: true

    - name: "Vault | Copy vault binary to {{ vault_binary_path }}"
      ansible.builtin.copy:
        src: /tmp/vault/vault
        dest: "{{ vault_binary_path }}"
        owner: root
        group: root
        mode: "0755"
        remote_src: true
        force: true

    - name: "Vault | Update vault version file"
      ansible.builtin.copy:
        content: "{{ _vault_wanted_version }}"
        dest: "{{ vault_config_dir }}/.version"
        owner: "{{ vault_user }}"
        group: "{{ vault_group }}"
        mode: "0600"

    - name: "Vault | Set restart-check variable"
      ansible.builtin.set_fact:
        _vault_service_need_restart: true

    - name: "Vault | Cleanup temporary directory"
      ansible.builtin.file:
        path: "{{ item }}"
        state: absent
      loop:
        - /tmp/vault
        - /tmp/{{ _vault_package_name }}
        - /tmp/{{ _vault_shasum_file_name }}

- name: "Vault | Copy systemd service file for vault"
  ansible.builtin.template:
    src: "vault.service.j2"
    dest: "/etc/systemd/system/{{ vault_service_name }}.service"
    owner: root
    group: root
    mode: "0644"
  register: _vault_unit_file

- name: "Vault | Set reload-check & restart-check variable"
  ansible.builtin.set_fact:
    _vault_service_need_reload: true
    _vault_service_need_restart: true
  when: _vault_unit_file.changed # noqa: no-handler

- name: "Vault | Copy systemd service file for vault"
  ansible.builtin.template:
    src: "vault.service.j2"
    dest: "/etc/systemd/system/vault.service"
    owner: root
    group: root
    mode: "0644"
  notify:
    - "systemctl-daemon-reload"