Add GPG verification, default to latest, and CI

.fixtures.yml

@@ -0,0 +1,10 @@
+fixtures:
+  forge_modules:
+    stdlib:
+      repo: puppetlabs/stdlib
+      ref: 9.0.0
+    archive:
+      repo: puppet/archive
+      ref: 7.0.0
+  symlinks:
+    awscli2: "#{source_dir}"

.github/workflows/test.yml

@@ -0,0 +1,52 @@
+name: CI
+
+on:
+  push:
+    branches: [main, feature/*]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint:
+    name: Puppet Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2'
+          bundler-cache: true
+
+      - name: Run puppet-lint
+        run: bundle exec rake lint
+
+  spec:
+    name: RSpec Tests (Puppet ${{ matrix.puppet }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        puppet: ['7', '8']
+        include:
+          - puppet: '7'
+            ruby: '3.1'
+          - puppet: '8'
+            ruby: '3.2'
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Ruby ${{ matrix.ruby }}
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+        env:
+          PUPPET_GEM_VERSION: "~> ${{ matrix.puppet }}.0"
+
+      - name: Run spec tests
+        run: bundle exec rake spec
+        env:
+          PUPPET_GEM_VERSION: "~> ${{ matrix.puppet }}.0"

.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

Gemfile

@@ -0,0 +1,11 @@
+source 'https://rubygems.org'
+
+gem 'puppet', ENV['PUPPET_GEM_VERSION'] || '>= 7.0'
+gem 'rake'
+
+group :test do
+  gem 'rspec-puppet', '~> 4.0'
+  gem 'rspec-puppet-facts', '~> 4.0'
+  gem 'puppetlabs_spec_helper', '~> 7.0'
+  gem 'puppet-lint', '~> 4.0'
+end

README.md

@@ -1,18 +1,30 @@
+# puppet-awscli2
+
+This is a fork of [umd/awscli2](https://forge.puppet.com/modules/umd/awscli2) from the University of Maryland.
+
+The original source repository is at https://gitlab.umd.edu/it-platform/puppet-awscli2 - but I can't access it, probably it's behind a firewall.
+
+## Fork Changes
+
+- **GPG signature verification**: Downloads are verified using the official AWS CLI public key before installation
+- **Default to latest version**: The `version` parameter now defaults to `'latest'` for automatic updates
+- **Ubuntu support**: Added explicit support for Ubuntu 20.04 and 24.04
+
 #### Table of Contents
 
 1. [Overview](#overview)
 2. [Module Description - What the module does and why it is useful](#module-description)
 3. [Setup - The basics of getting started with awscli2](#setup)
     * [What awscli2 affects](#what-awscli2-affects)
+    * [Requirements](#requirements)
 4. [Usage - Configuration options and additional functionality](#usage)
-    * [Required Parameters](#required-parameters)
     * [Optional Parameters](#optional-parameters)
-    * [Example](#example)
+    * [Examples](#examples)
 5. [Limitations - OS compatibility, etc.](#limitations)
 
 ## Overview
 
-This module installs (or upgrades, or un-installs) the AWS CLI v2. Redhat has dropped the AWS CLI v1 from its repositories, and AWS has packaged up v2 of the CLI with all dependencies included (but not packaged it as an RPM).
+This module installs (or upgrades, or un-installs) the AWS CLI v2. AWS has packaged up v2 of the CLI with all dependencies included (but not packaged it as a deb or RPM).
 
 ## Module Description
 
@@ -22,10 +34,16 @@ command (provided by redhat) was installed into that location, and we do
 not want to break any scripts that do not have `/usr/local/bin` in their path
 or may have hard-coded `/usr/bin/aws`.
 
-This module requires the manual specification of the version of the CLI to
-install. This was done to prevent having to download the `latest` zip file
-from AWS on every puppet run just to see if it has been updated. This module
-will remove older versions after a successful upgrade to keep disk space down.
+By default, this module installs the latest available version of the CLI.
+When using a specific version, this module will remove older versions after
+a successful upgrade to keep disk space down. When using `'latest'`, old
+version cleanup is skipped since the version directory name is not known
+at Puppet compile time.
+
+By default, this module verifies the GPG signature of the downloaded package
+using the official AWS CLI public key, as recommended by AWS. This ensures
+the integrity and authenticity of the installer. See:
+https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
 
 This module delivers a custom fact (`umd_awscliv2_version`) which is used to
 determine if an upgrade or clean install is needed (it will do nothing if
@@ -35,7 +53,7 @@ This module is not a complete replacement for a package management system, and
 it is possible for it to fail to un-install older versions on upgrade or
 `absent`. In particular, the currently installed version fact is based on
 the current value of `$bin_path`, and changing this parameter after an install
-has happened will leave the previous installation abandoned. 
+has happened will leave the previous installation abandoned.
 
 ## Setup
 
@@ -44,26 +62,39 @@ has happened will leave the previous installation abandoned.
 * By default, it will install the CLI into `/usr/local/aws-cli`.
 * By default, it will symlink binaries (`aws`, `aws_completer`) into `/usr/bin`.
 
-## Usage
+### Requirements
 
-Include the `awscli2` class and define the following parameters as required:
+* `gpg` - Required for signature verification (enabled by default).
+* `unzip` - Required for extracting the installer when signature verification is enabled.
 
-### Required Parameters
+## Usage
 
-* `version`: The version of the CLI to install
+Include the `awscli2` class and define the following parameters as required:
 
 ### Optional Parameters
 
+* `version`: The version of the CLI to install, e.g. `'2.15.0'`. Defaults to `'latest'`, which always installs/upgrades to the latest available version. Note: Using `'latest'` will attempt to download and run the installer on every Puppet run (the installer handles idempotency).
 * `ensure`: Set to `absent` to un-install the AWS CLI.
 * `install_dir`: Path to install the CLI into. Defaults to `/usr/local/aws-cli`.
 * `bin_dir`: Path to create symlinks to binaries. Defaults to `/usr/bin`.
+* `verify_signature`: Whether to verify the GPG signature of the downloaded package. Defaults to `true`.
+
+### Examples
+
+Install the latest version (default):
+
+```yaml
+---
+classes:
+  - awscli2
+```
 
-### Example
+Install a specific version:
 
 ```yaml
 ---
 classes:
   - awscli2
-awscli2::version: '2.0.28'
+awscli2::version: '2.15.0'
 ```
 

Rakefile

@@ -0,0 +1,9 @@
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-lint/tasks/puppet-lint'
+
+PuppetLint.configuration.send('disable_80chars')
+PuppetLint.configuration.send('disable_140chars')
+PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'vendor/**/*.pp']
+
+desc 'Run all tests'
+task :test => [:lint, :spec]

files/aws-cli-public-key.asc

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG
+ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx
+PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G
+TfNxEKJ8soPLyWmwDH6HWCnjZ/aIQRBTIQ05uVeEoYxSh6wOai7ss/KveoSNBbYz
+gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk
+C6VwsnDU0OUCideXcQ8WeHutqvgZH1JgKDbznoIzeQHJD238GEu+eKhRHcz8/jeG
+94zkcgJOz3KbZGYMiTh277Fvj9zzvZsbMBCedV1BTg3TqgvdX4bdkhf5cH+7NtWO
+lrFj6UwAsGukBTAOxC0l/dnSmZhJ7Z1KmEWilro/gOrjtOxqRQutlIqG22TaqoPG
+fYVN+en3Zwbt97kcgZDwqbuykNt64oZWc4XKCa3mprEGC3IbJTBFqglXmZ7l9ywG
+EEUJYOlb2XrSuPWml39beWdKM8kzr1OjnlOm6+lpTRCBfo0wa9F8YZRhHPAkwKkX
+XDeOGpWRj4ohOx0d2GWkyV5xyN14p2tQOCdOODmz80yUTgRpPVQUtOEhXQARAQAB
+tCFBV1MgQ0xJIFRlYW0gPGF3cy1jbGlAYW1hem9uLmNvbT6JAlQEEwEIAD4CGwMF
+CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQT7Xbd/1cEYuAURraimMQrMRnJHXAUC
+aGveYQUJDMpiLAAKCRCmMQrMRnJHXKBYD/9Ab0qQdGiO5hObchG8xh8Rpb4Mjyf6
+0JrVo6m8GNjNj6BHkSc8fuTQJ/FaEhaQxj3pjZ3GXPrXjIIVChmICLlFuRXYzrXc
+Pw0lniybypsZEVai5kO0tCNBCCFuMN9RsmmRG8mf7lC4FSTbUDmxG/QlYK+0IV/l
+uJkzxWa+rySkdpm0JdqumjegNRgObdXHAQDWlubWQHWyZyIQ2B4U7AxqSpcdJp6I
+S4Zds4wVLd1WE5pquYQ8vS2cNlDm4QNg8wTj58e3lKN47hXHMIb6CHxRnb947oJa
+pg189LLPR5koh+EorNkA1wu5mAJtJvy5YMsppy2y/kIjp3lyY6AmPT1posgGk70Z
+CmToEZ5rbd7ARExtlh76A0cabMDFlEHDIK8RNUOSRr7L64+KxOUegKBfQHb9dADY
+qqiKqpCbKgvtWlds909Ms74JBgr2KwZCSY1HaOxnIr4CY43QRqAq5YHOay/mU+6w
+hhmdF18vpyK0vfkvvGresWtSXbag7Hkt3XjaEw76BzxQH21EBDqU8WJVjHgU6ru+
+DJTs+SxgJbaT3hb/vyjlw0lK+hFfhWKRwgOXH8vqducF95NRSUxtS4fpqxWVaw3Q
+V2OWSjbne99A5EPEySzryFTKbMGwaTlAwMCwYevt4YT6eb7NmFhTx0Fis4TalUs+
+j+c7Kg92pDx2uQ==
+=OBAt
+-----END PGP PUBLIC KEY BLOCK-----

manifests/init.pp

@@ -7,7 +7,10 @@
 # ----------
 #
 # @param version
-#   Version of the AWS CLI to install. E.g. "2.0.28"
+#   Version of the AWS CLI to install. E.g. "2.0.28", or "latest" to always
+#   install/upgrade to the latest available version. Defaults to "latest".
+#   Note: Using "latest" will attempt to download and run the installer on
+#   every Puppet run (the installer handles idempotency).
 #
 # @param ensure
 #   Set to `absent` to un-install the AWS CLI. Set to `present` to
@@ -17,14 +20,20 @@
 #   Path to install the AWS CLI into. Defaults to `/usr/local/aws-cli`.
 #
 # @param bin_dir
-#   The directory to store symlinks to eecutables for the AWS CLI.
+#   The directory to store symlinks to executables for the AWS CLI.
 #   Defaults to `/usr/bin`.
 #
+# @param verify_signature
+#   Whether to verify the GPG signature of the downloaded package.
+#   Defaults to `true`. Requires `gpg` and `unzip` to be installed.
+#   See: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
+#
 class awscli2 (
-  String[1]                 $version,
+  String[1]                 $version = 'latest',
   Enum['absent', 'present'] $ensure = 'present',
   String[1]                 $install_dir = '/usr/local/aws-cli',
   String[1]                 $bin_dir = '/usr/bin',
+  Boolean                   $verify_signature = true,
 ) {
   if $ensure == 'absent' {
     contain awscli2::uninstall