Fixes several bugs with the install_agent role

roles/install_agent/README.md

@@ -33,11 +33,12 @@ Requirements
 An API key is required to use this role. It is considered best practice to create a specific 'API user' role for this purpose.
 
 The API user requires the following permissions:
-- Read site info
-- Read group info (if the scope is set to group)
-- Download agent packages
-- Read the site or group registration token
-- Read agent information
+- Endpoints -> View
+- Accounts -> View
+- Agent Packages -> View
+- Groups -> View (If the scope is set to "group")
+- Roles -> View
+- Sites -> View
 
 ### GPG Key (Linux only)
 You need to provide the gpg key to validate the package signatures correctly. You obtain the download link from the Sentinelone Help page: "**How to Install on a Linux Endpoint with Yum**".

roles/install_agent/tasks/Linux.yml

@@ -7,7 +7,7 @@
   when: not agent_installed
   become: true
   block:
     - name: Get dmesg output
       ansible.builtin.command: dmesg
       changed_when: false
       register: dmesg_output
@@ -27,7 +27,6 @@
     - name: "Block: RPM based systems"
       when: pkg_format == "rpm"
       block:
-
         - name: "Linux: Copy gpg key to remote server"
           ansible.builtin.copy:
             src: "{{ gpg_key }}"
@@ -40,7 +39,7 @@
             key: "{{ remote_gpg_key_path }}"
           when: signed_package
 
         - name: "Linux: Install unsigned .rpm agent package via rpm"
           ansible.builtin.command:
             cmd: "rpm -i --nodigest {{ remote_pkg_path }}"
             creates: "/opt/sentinelone/bin/sentinelctl"
@@ -53,27 +52,26 @@
 
     - name: "Block: DEB based systems"
       when: pkg_format == "deb"
+      become: true
       block:
         - name: "Install gpg"
           ansible.builtin.apt:
             name: gpg
             update_cache: true
 
-        - name: "Linux: Copy gpg key to remote server"
+        - name: "Linux: Install GPG key to trusted.gpg.d"
           ansible.builtin.copy:
             src: "{{ gpg_key }}"
-            dest: "{{ remote_gpg_key_path }}"
+            dest: /etc/apt/trusted.gpg.d/sentinelone.gpg
+            owner: root
+            group: root
             mode: "0644"
 
-        - name: "Linux: Import GPG key for apt"
-          ansible.builtin.apt_key:
-            file: "{{ remote_gpg_key_path }}"
-
         - name: "Linux: Install deb agent package {{ remote_pkg_path }}"
           ansible.builtin.apt:
             deb: "{{ remote_pkg_path }}"
 
 - name: "Linux: Check if agent is already registered"
   ansible.builtin.shell:
     # \\s needed because yaml interprets \s as escape sequence
     cmd: "set -o pipefail && /opt/sentinelone/bin/sentinelctl management status | grep -E '^Connectivity\\s+(On|Off)$' | awk '{ print $2 }'"

roles/install_agent/tasks/main.yml

@@ -31,6 +31,7 @@
       or sentinelagent_service.exists | default(false) else false }}"
 
 - name: "Download agent to localhost. Version: {{ agent_version }}"
+  become: false
   sva.sentinelone.sentinelone_download_agent:
     console_url: "{{ console_url }}"
     token: "{{ api_token }}"
@@ -47,6 +48,7 @@
 
 - name: "Block: Get registration token from API"
   run_once: true
+  become: false
   block:
     - name: "Get siteid"
       ansible.builtin.uri:
@@ -94,7 +96,7 @@
 
     - name: "Set endpoint URI to get the correct registration token"
       ansible.builtin.set_fact:
-        reg_token_uri: "{{ \"groups/{{ groupid }}/token\" if group is defined else \"sites/{{ siteid }}/token\" }}"
+        reg_token_uri: "{{ 'groups/' ~ groupid ~ '/token' if group is defined else 'sites/' ~ siteid ~ '/token' }}"
 
     - name: "Get registration token"
       ansible.builtin.uri:
@@ -117,13 +119,15 @@
   ansible.builtin.include_tasks: "{{ custom_os_family }}.yml"
 
 - name: "Remove agent install package from localhost"
+  become: false
   ansible.builtin.file:
     path: "{{ return_download_agent.original_message.full_path }}"
     state: absent
   delegate_to: localhost
   when: not agent_installed
 
 - name: "Fail if new client does not appear in management console"
+  become: false
   ansible.builtin.uri:
     url: "{{ api_url }}agents?siteIds={{ siteid }}&computerName={{ ansible_hostname | urlencode }}&isActive=true"
     method: GET
@@ -136,6 +140,6 @@
   register: registrationstatus
   delegate_to: localhost
   no_log: "{{ hide_sensitive }}"
-  until: ((registrationstatus.json.data | length) > 0) and (registrationstatus.status == 200)
+  until: (registrationstatus.json.data | default([]) | length > 0) and (registrationstatus.status | default(0) == 200)
   retries: "{{ check_console_retries }}"
   delay: "{{ check_console_retry_delay }}"