feat: support optional installation of vault enterprise binary (#582)

## Description

When using the SAML auth method with Vault and authenticating via CLI it
is required to use the enterprise version of the binary, as SAML support
is not built into the non enterprise version of the CLI. This PR adds an
optional `enterprise` variable to support this.

@matifali can you let me know the appropriate tag command to run to
release this once approved, please?

## Type of Change

- [ ] New module
- [ ] New template
- [ ] Bug fix
- [x] Feature/enhancement
- [ ] Documentation
- [ ] Other

## Module Information

**Path:** `registry/coder/modules/vault-cli`  
**New version:** `v1.1.0`  
**Breaking change:** [ ] Yes [x] No


## Testing & Validation

- [ ] Tests pass (`bun test`)
- [ ] Code formatted (`bun fmt`)
- [x] Changes tested locally

## Related Issues

None

Author: rowansmithau

registry/coder/modules/vault-cli/README.md

@@ -13,7 +13,7 @@ Installs the [Vault](https://www.vaultproject.io/) CLI and optionally configures
 ```tf
 module "vault_cli" {
   source     = "registry.coder.com/coder/vault-cli/coder"
-  version    = "1.0.0"
+  version    = "1.1.0"
   agent_id   = coder_agent.example.id
   vault_addr = "https://vault.example.com"
 }
@@ -34,7 +34,7 @@ If you have a Vault token, you can provide it to automatically configure authent
 ```tf
 module "vault_cli" {
   source      = "registry.coder.com/coder/vault-cli/coder"
-  version     = "1.0.0"
+  version     = "1.1.0"
   agent_id    = coder_agent.example.id
   vault_addr  = "https://vault.example.com"
   vault_token = var.vault_token # Optional
@@ -50,7 +50,7 @@ Install the Vault CLI without any authentication:
 ```tf
 module "vault_cli" {
   source     = "registry.coder.com/coder/vault-cli/coder"
-  version    = "1.0.0"
+  version    = "1.1.0"
   agent_id   = coder_agent.example.id
   vault_addr = "https://vault.example.com"
 }
@@ -61,7 +61,7 @@ module "vault_cli" {
 ```tf
 module "vault_cli" {
   source            = "registry.coder.com/coder/vault-cli/coder"
-  version           = "1.0.0"
+  version           = "1.1.0"
   agent_id          = coder_agent.example.id
   vault_addr        = "https://vault.example.com"
   vault_cli_version = "1.15.0"
@@ -73,7 +73,7 @@ module "vault_cli" {
 ```tf
 module "vault_cli" {
   source      = "registry.coder.com/coder/vault-cli/coder"
-  version     = "1.0.0"
+  version     = "1.1.0"
   agent_id    = coder_agent.example.id
   vault_addr  = "https://vault.example.com"
   install_dir = "/home/coder/bin"
@@ -87,14 +87,28 @@ For Vault Enterprise users who need to specify a namespace:
 ```tf
 module "vault_cli" {
   source          = "registry.coder.com/coder/vault-cli/coder"
-  version         = "1.0.0"
+  version         = "1.1.0"
   agent_id        = coder_agent.example.id
   vault_addr      = "https://vault.example.com"
   vault_token     = var.vault_token
   vault_namespace = "admin/my-namespace"
 }
 ```
 
+### Vault Enterprise Binary
+
+Install the Vault Enterprise binary. This is required if using SAML authentication to Vault:
+
+```tf
+module "vault_cli" {
+  source     = "registry.coder.com/coder/vault-cli/coder"
+  version    = "1.1.0"
+  agent_id   = coder_agent.example.id
+  vault_addr = "https://vault.example.com"
+  enterprise = true
+}
+```
+
 ## Related Modules
 
 For more advanced authentication methods, see:

registry/coder/modules/vault-cli/main.tf

@@ -48,6 +48,12 @@ variable "vault_namespace" {
   default     = null
 }
 
+variable "enterprise" {
+  type        = bool
+  description = "Whether to install the enterprise version of the Vault CLI. Required if using SAML authentication to Vault."
+  default     = false
+}
+
 data "coder_workspace" "me" {}
 
 resource "coder_script" "vault_cli" {
@@ -59,6 +65,7 @@ resource "coder_script" "vault_cli" {
     VAULT_TOKEN       = var.vault_token
     INSTALL_DIR       = var.install_dir
     VAULT_CLI_VERSION = var.vault_cli_version
+    ENTERPRISE        = var.enterprise
   })
   run_on_start       = true
   start_blocks_login = true

registry/coder/modules/vault-cli/main.tftest.hcl

@@ -163,3 +163,14 @@ run "test_vault_cli_with_token_and_namespace" {
     error_message = "VAULT_NAMESPACE should match the provided vault_namespace"
   }
 }
+
+run "test_vault_cli_enterprise" {
+  variables {
+    enterprise = true
+  }
+
+  assert {
+    condition     = resource.coder_script.vault_cli.display_name == "Vault CLI"
+    error_message = "Display name should be 'Vault CLI'"
+  }
+}

registry/coder/modules/vault-cli/run.sh

@@ -5,6 +5,7 @@ VAULT_ADDR=${VAULT_ADDR}
 VAULT_TOKEN=${VAULT_TOKEN}
 INSTALL_DIR=${INSTALL_DIR}
 VAULT_CLI_VERSION=${VAULT_CLI_VERSION}
+ENTERPRISE=${ENTERPRISE}
 
 # Fetch URL content. If dest is provided, write to file; otherwise output to stdout.
 # Usage: fetch <url> [dest]
@@ -75,9 +76,18 @@ install() {
 
   # Fetch release information from HashiCorp API
   if [ "$${VAULT_CLI_VERSION}" = "latest" ]; then
-    API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest"
+    if [ "$${ENTERPRISE}" = "true" ]; then
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest?license_class=enterprise"
+    else
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/latest"
+    fi
   else
-    API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}"
+    # For specific version, append +ent suffix for enterprise
+    if [ "$${ENTERPRISE}" = "true" ]; then
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}+ent"
+    else
+      API_URL="https://api.releases.hashicorp.com/v1/releases/vault/$${VAULT_CLI_VERSION}"
+    fi
   fi
 
   API_RESPONSE=$(fetch "$${API_URL}")