I am writing an automation script to download the aws cloud-hsm client and pcks for doing a aws-cloudhsm-client init-container for a vault enterprise deployment.
The goal is to automate the config and setup of the HSM integration for vault to reference.
This is a guide that details how to do it.
https://github.com/jacobmammoliti/aws-vault-cloudhsm
My issue is that the cloud-hsm cli provided with the cloud-hsm client doesn't have a auto yes feature for when you execute the change password command. In order to automate this I have it in a EOF block for inline script execution to use the cloud-hsm cli inside of my start up script to configure it.
The issue is I'm trying to use yes | to answer the prompt but I don't think the EOF inline script method supports that and I am trying to find another way around it because the cloud-hsm cli doesn't support it which is kinda silly.
Here is a test bash script I'm running from a ubuntu:18.04 shell inside of my Kubernetes cluster to workout the automation. The HSM is on a private network so I'm using a pod to be inside the HSM network.
apt update -y
apt-get install wget -y
wget https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-x86_64.sh
bash Miniconda3-latest-Linux-x86_64.sh -ab
export PATH=~/miniconda3/bin:${PATH}
python --version
wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Bionic/cloudhsm-client_latest_u18.04_amd64.deb
wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Bionic/cloudhsm-client-pkcs11_latest_u18.04_amd64.deb
apt install -y ./cloudhsm-client_latest_u18.04_amd64.deb
apt install -y ./cloudhsm-client-pkcs11_latest_u18.04_amd64.deb
export CLOUD_HSM_IP='HSM_IP'
export CUSTOMER_CA="base64encodedca"
export VAULT_DEFAULT_ADMIN_PASSWORD='password'
export VAULT_HSM_ADMIN_PASSWORD='myadminpassword'
export VAULT_USER='vault'
export VAULT_HSM_PASSWORD='myadminpassword'
echo "Configure Cloud HSM $CLOUD_HSM_IP"
/opt/cloudhsm/bin/configure -a ${CLOUD_HSM_IP}
echo "Config File"
cat /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
echo "Echo Customer CA"
echo "${CUSTOMER_CA}" | base64 --decode > /opt/cloudhsm/etc/customerCA.crt
echo "Cat Customer CA"
cat /opt/cloudhsm/etc/customerCA.crt
echo "Execute cloudhsm cli"
echo "
yes | /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg <<'EOF'
enable_e2e
loginHSM PRECO admin ${VAULT_DEFAULT_ADMIN_PASSWORD}
changePswd PRECO admin ${VAULT_HSM_ADMIN_PASSWORD}
logoutHSM
loginHSM CO admin ${VAULT_HSM_ADMIN_PASSWORD}
createUser CU ${VAULT_USER} ${VAULT_HSM_PASSWORD}
logoutHSM
quit
EOF
" > configure_hsm
cat configure_hsm
yes | bash configure_hsm
service cloudhsm-client start
Question:
How can I get around this issue because yes | doesn't work because cloud-hsm is its own cli?
Regardless of which shell you are using, a subprocess can only receive standard input from one place.
Anything which looks like
is basically an ambiguous redirect. Should
binaryreceive standard input from the pipe, or from the here document? It can't be reading both.(Quick testing on Bash and Alpine Linux indicates that these shells prefer the here document in this situation, and ignore the pipe. I'm too lazy to check if this is defined somewhere like POSIX.)
From a brief read of the documentation I'm guessing you want to respond
yto the "are you sure?" prompts after several of these commands. Just add that in the here document just like all the other input.For what it's worth, quoting the
'EOF'marker will prevent the shell from expanding the variables in the here document; I'm guessing probably you would not want that?