ansible/playbook 1: corrected Docker and Terraform GPG keys

lorcanrae · lorcanrae · commit 723cd30ad516 · 2026-01-28T18:20:09.000+02:00
diff --git a/automation/vm-ansible-setup/playbooks/setup_vm_part1.yml b/automation/vm-ansible-setup/playbooks/setup_vm_part1.yml
@@ -106,16 +106,16 @@
             state: directory
             mode: '0755'
 
-        - name: Add Docker GPG key
+        - name: Download Docker GPG key
           ansible.builtin.get_url:
             url: "https://download.docker.com/linux/ubuntu/gpg"
-            dest: "/etc/apt/keyrings/docker.gpg"
+            dest: "/etc/apt/keyrings/docker.asc"
             mode: '0644'
 
         - name: Add Docker APT repository
           ansible.builtin.apt_repository:
             repo: >
-              deb [arch={{ architecture }} signed-by=/etc/apt/keyrings/docker.gpg]
+              deb [arch={{ architecture }} signed-by=/etc/apt/keyrings/docker.asc]
               https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable
             state: present
 
@@ -178,6 +178,8 @@
           ansible.builtin.shell: |
             set -o pipefail
             gcloud services list --enabled --format="value(config.name)" | grep -q "^artifactregistry.googleapis.com$"
+          args:
+            executable: /bin/bash
           become_user: "{{ my_user }}"
           become: true
           register: gcp_ar_check
@@ -187,6 +189,8 @@
         - name: Enable GCP Artifact Registry API
           ansible.builtin.shell: |
             gcloud services enable artifactregistry.googleapis.com
+          args:
+            executable: /bin/bash
           become_user: "{{ my_user }}"
           become: true
           when: gcp_ar_check.rc != 0
@@ -232,11 +236,15 @@
       tags: terraform
       when: not terraform_check.stat.exists
       block:
-        - name: Add HashiCorp GPG key
-          ansible.builtin.get_url:
-            url: "https://apt.releases.hashicorp.com/gpg"
-            dest: "/usr/share/keyrings/hashicorp-archive-keyring.gpg"
-            mode: '0644'
+        - name: Download and dearmor HashiCorp GPG key # noqa command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl -fsSL https://apt.releases.hashicorp.com/gpg | \
+            gpg --dearmor | \
+            tee /usr/share/keyrings/hashicorp-archive-keyring.gpg > /dev/null
+          args:
+            creates: /usr/share/keyrings/hashicorp-archive-keyring.gpg
+            executable: /bin/bash
 
         - name: Add HashiCorp APT repository
           ansible.builtin.apt_repository:
