Check for errors in lunacm commands

Also stop using password for the list-ha-groups script since we don't
care about the sync status.

files/list-ha-groups

@@ -14,7 +14,5 @@ set timeout -1
 spawn /usr/safenet/lunaclient/bin/lunacm -c hagroup listgroups
 match_max 100000
 expect "	Enter the password: "
-send -- "{{ lunasa_partition_password }}"
-expect -exact "****************"
 send -- "\r"
 expect eof

tasks/main.yaml

@@ -40,10 +40,9 @@
   command: /usr/safenet/lunaclient/bin/vtl verify
   become: true
 
-# create HA partition
-# /vtl haAdmin -newGroup -serialNum 65003001 -label myHAgroup -password userpin
 - name: create hsm ha partition
   when: lunasa_ha_label is defined
+  become: true
   block:
     - name: create ha partition
       shell: |
@@ -51,39 +50,44 @@
           -label  {{ lunasa_ha_label }} \
           -serialNumber {{ lunasa_hsms[0].partition_serial }} \
           -password {{ lunasa_partition_password }}
-      become: yes
+      register: result
+      failed_when:
+        - 'Command Result : No Error' not in result.stdout
+        - 'for the new group has already been used' not in result.stdout
 
     - name: add other hsms to the ha group
       shell: |
-        /usr/safenet/lunaclient/bin/lunacm -c hagroup addMember \
+        echo 'copy' | /usr/safenet/lunaclient/bin/lunacm -c hagroup addMember \
           -group {{ lunasa_ha_label }} \
-          -serial {{ item.partition_serial }} \
+          -serialNumber {{ item.partition_serial }} \
           -password {{ lunasa_partition_password }} 
       loop: "{{ lunasa_hsms }}"
       loop_control:
         extended: yes
       when: ansible_loop.first != True
-      become: yes
+      register: result
+      failed_when:
+        - 'Command Result : No Error' not in result.stdout
+        - 'The member you specified is already part of an' not in result.stdout
 
-    - name: Generate expect script to check  HA status
-      template:
+    - name: Copy expect script to check  HA status
+      copy:
         src: list-ha-groups.j2
         dest: /usr/safenet/lunaclient/bin/list-ha-groups
         owner: root
         group: root
         mode: 0755
-      become: yes
 
     - name: Check the HA group
       shell: |
-        /usr/safenet/lunaclient/bin/list-ha-groups | grep 'HA Group Slot ID' | awk '{ print $NF }'
+        /usr/safenet/lunaclient/bin/list-ha-groups
+      register: result
+      failed_when: 'Command Result : No Error' not in result.stdout
+
+    - name: Register the HA Slot ID
+      shell: |
+        set -o pipefail && /usr/safenet/lunaclient/bin/list-ha-groups | grep 'HA Group Slot ID' | awk '{ print $NF }'
       register: ha_slot
-      become: yes
 
     - debug:
-        msg: "{{ ha_slot }}"
-
-#    - name: remove expect script
-#      file:
-#        path: /usr/safenet/lunaclient/bin/list-ha-groups
-#        state: absent
+        msg: "HA Slot ID: {{ ha_slot.stdout }}"

tasks/register_hsm.yaml

@@ -1,14 +1,13 @@
 ---
 - debug:
     msg: "Registering the following HSM: {{ hsm_name }}"
- 
+
 - name: Get the hsm server cert from the hsm_server
   shell: |
     sshpass -p '{{ hsm_admin_password }}' \
       scp -o StrictHostKeyChecking=false admin@{{ hsm_hostname }}:server.pem /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem
   become: true
 
-# TODO: do dns and ip addresses
 - name: Register the HSM server cert with the client
   shell: |
     /usr/safenet/lunaclient/bin/vtl addServer -n {{ hsm_hostname }} \
@@ -35,12 +34,6 @@
       admin@{{ hsm_hostname }}:{{ client_ip }}.pem
   become: true
 
-- name: List clients on the hsm_server
-  shell: |
-    sshpass -p '{{ hsm_admin_password }}' \
-      ssh admin@{{ hsm_hostname }} -C "client list"
-  become: true
-
 # A client with the same hostname has already been registered
 - name: Register the client certificate on the hsm_server
   shell: |