From 3ae8c7dcff5a309867a2a7a636c083bc03ac0a87 Mon Sep 17 00:00:00 2001
From: Rowan Smith <rowan@coder.com>
Date: Tue, 9 Dec 2025 00:56:03 +1100
Subject: [PATCH] feat: support optional installation of vault enterprise
 binary (#582)

## Description

When using the SAML auth method with Vault and authenticating via CLI it
is required to use the enterprise version of the binary, as SAML support
is not built into the non enterprise version of the CLI. This PR adds an
optional `enterprise` variable to support this.

@matifali can you let me know the appropriate tag command to run to
release this once approved, please?

## Type of Change

- [ ] New module
- [ ] New template
- [ ] Bug fix
- [x] Feature/enhancement
- [ ] Documentation
- [ ] Other

## Module Information

**Path:** `registry/coder/modules/vault-cli`
**New version:** `v1.1.0`
**Breaking change:** [ ] Yes [x] No


## Testing & Validation

- [ ] Tests pass (`bun test`)
- [ ] Code formatted (`bun fmt`)
- [x] Changes tested locally

## Related Issues

None
---
 registry/coder/modules/vault-cli/README.md    | 26 ++++++++++++++-----
 registry/coder/modules/vault-cli/main.tf      |  7 +++++
 .../coder/modules/vault-cli/main.tftest.hcl   | 11 ++++++++
 registry/coder/modules/vault-cli/run.sh       | 14 ++++++++--
 4 files changed, 50 insertions(+), 8 deletions(-)

diff --git a/registry/coder/modules/vault-cli/README.md b/registry/coder/modules/vault-cli/README.md
index 776ec6be..f8df790f 100644
--- a/registry/coder/modules/vault-cli/README.md
+++ b/registry/coder/modules/vault-cli/README.md
@@ -13,7 +13,7 @@ Installs the [Vault](https://www.vaultproject.io/) CLI and optionally configures
 ```tf
 module "vault_cli" {
   source     = "registry.coder.com/coder/vault-cli/coder"
-  version    = "1.0.0"
+  version    = "1.1.0"
   agent_id   = coder_agent.example.id
   vault_addr = "https://vault.example.com"
 }
@@ -34,7 +34,7 @@ If you have a Vault token, you can provide it to automatically configure authent
 ```tf
 module "vault_cli" {
   source      = "registry.coder.com/coder/vault-cli/coder"
-  version     = "1.0.0"
+  version     = "1.1.0"
   agent_id    = coder_agent.example.id
   vault_addr  = "https://vault.example.com"
   vault_token = var.vault_token # Optional
@@ -50,7 +50,7 @@ Install the Vault CLI without any authentication:
 ```tf
 module "vault_cli" {
   source     = "registry.coder.com/coder/vault-cli/coder"
-  version    = "1.0.0"
+  version    = "1.1.0"
   agent_id   = coder_agent.example.id
   vault_addr = "https://vault.example.com"
 }
@@ -61,7 +61,7 @@ module "vault_cli" {
 ```tf
 module "vault_cli" {
   source            = "registry.coder.com/coder/vault-cli/coder"
-  version           = "1.0.0"
+  version           = "1.1.0"
   agent_id          = coder_agent.example.id
   vault_addr        = "https://vault.example.com"
   vault_cli_version = "1.15.0"
@@ -73,7 +73,7 @@ module "vault_cli" {
 ```tf
 module "vault_cli" {
   source      = "registry.coder.com/coder/vault-cli/coder"
-  version     = "1.0.0"
+  version     = "1.1.0"
   agent_id    = coder_agent.example.id
   vault_addr  = "https://vault.example.com"
   install_dir = "/home/coder/bin"
@@ -87,7 +87,7 @@ For Vault Enterprise users who need to specify a namespace:
 ```tf
 module "vault_cli" {
   source          = "registry.coder.com/coder/vault-cli/coder"
-  version         = "1.0.0"
+  version         = "1.1.0"
   agent_id        = coder_agent.example.id
   vault_addr      = "https://vault.example.com"
   vault_token     = var.vault_token
@@ -95,6 +95,20 @@ module "vault_cli" {
 }
 ```
 
+### Vault Enterprise Binary
+
+Install the Vault Enterprise binary. This is required if using SAML authentication to Vault:
+
+```tf
+module "vault_cli" {
+  source     = "registry.coder.com/coder/vault-cli/coder"
+  version    = "1.1.0"
+  agent_id   = coder_agent.example.id
+  vault_addr = "https://vault.example.com"
+  enterprise = true
+}
+```
+
 ## Related Modules
 
 For more advanced authentication methods, see:
diff --git a/registry/coder/modules/vault-cli/main.tf b/registry/coder/modules/vault-cli/main.tf
index eaacb66b..1fa2011c 100644
--- a/registry/coder/modules/vault-cli/main.tf
+++ b/registry/coder/modules/vault-cli/main.tf
@@ -48,6 +48,12 @@ variable "vault_namespace" {
   default     = null
 }
 
+variable "enterprise" {
+  type        = bool
+  description = "Whether to install the enterprise version of the Vault CLI. Required if using SAML authentication to Vault."
+  default     = false
+}
+
 data "coder_workspace" "me" {}
 
 resource "coder_script" "vault_cli" {
@@ -59,6 +65,7 @@ resource "coder_script" "vault_cli" {
     VAULT_TOKEN       = var.vault_token
     INSTALL_DIR       = var.install_dir
     VAULT_CLI_VERSION = var.vault_cli_version
+    ENTERPRISE        = var.enterprise
   })
   run_on_start       = true
   start_blocks_login = true
diff --git a/registry/coder/modules/vault-cli/main.tftest.hcl b/registry/coder/modules/vault-cli/main.tftest.hcl
index 94a9b7ac..5f1f8214 100644
--- a/registry/coder/modules/vault-cli/main.tftest.hcl
+++ b/registry/coder/modules/vault-cli/main.tftest.hcl
@@ -163,3 +163,14 @@ run "test_vault_cli_with_token_and_namespace" {
     error_message = "VAULT_NAMESPACE should match the provided vault_namespace"
   }
 }
+
+run "test_vault_cli_enterprise" {
+  variables {
+    enterprise = true
+  }
+
+  assert {
+    condition     = resource.coder_script.vault_cli.display_name == "Vault CLI"
+    error_message = "Display name should be 'Vault CLI'"
+  }
+}
diff --git a/registry/coder/modules/vault-cli/run.sh b/registry/coder/modules/vault-cli/run.sh
index a1917f99..18803ee5 100644
--- a/registry/coder/modules/vault-cli/run.sh
+++ b/registry/coder/modules/vault-cli/run.sh
@@ -5,6 +5,7 @@ VAULT_ADDR=${VAULT_ADDR}
 VAULT_TOKEN=${VAULT_TOKEN}
 INSTALL_DIR=${INSTALL_DIR}
 VAULT_CLI_VERSION=${VAULT_CLI_VERSION}
+ENTERPRISE=${ENTERPRISE}
 
 # Fetch URL content. If dest is provided, write to file; otherwise output to stdout.
 # Usage: fetch <url> [dest]
@@ -75,9 +76,18 @@ install() {
 
   # Fetch release information from HashiCorp API
   if [ "$${VAULT_CLI_VERSION}" = "latest" ]; then
-    API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest"
+    if [ "$${ENTERPRISE}" = "true" ]; then
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest?license_class=enterprise"
+    else
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest"
+    fi
   else
-    API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}"
+    # For specific version, append +ent suffix for enterprise
+    if [ "$${ENTERPRISE}" = "true" ]; then
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}+ent"
+    else
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}"
+    fi
   fi
 
   API_RESPONSE=$(fetch "$${API_URL}")