Issue
I am studying for the RedHat Certified Specialist in Ansible Automation (EX407) and I'm playing around with the no_log module parameter. I have a sample playbook structured as so;
---
- hosts: webservers
tasks:
- name: Query vCenter
vmware_guest:
hostname: "{{ vcenter['host'] }}"
username: "{{ vcenter['username'] }}"
password: "{{ vcenter['password'] }}"
name: "{{ inventory_hostname }}"
validate_certs: no
delegate_to: localhost
no_log: yes
...
When no_log is disabled, I get a lot of helpful debug information about my VM, but when no_log is disabled I obviously can't protect my playbooks vaulted data (in this case that is the vcenter['username'] and vcenter['password'] values). Enabling no_log cripples my playbooks debug output to just;
"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result",
I would like to know how it is possible to censor only some of the debug output. I know this is possible because vcenter['password'] is protected in it's output regardless of my no_log state. I see this in the verbose output when no_log is disabled;
"invocation": {
"module_args": {
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"username": "[email protected]"
}
}
What are your thoughts?
Solution
So I went digging through the VMWare module source code and this is what I found.
password=dict(type='str',
aliases=['pass', 'pwd'],
required=False,
no_log=True,
fallback=(env_fallback, ['VMWARE_PASSWORD'])),
Looks like Playbooks just aren't exposing this feature. The VMWare modules themselves are enabling no_log on specific attributes in Python. For my part, this is just another functionality Playbooks are hiding. I really wish it was standard to suppress specific attributes, rather than a whole module, but this is where it stands as of Ansible 2.10.
Answered By - Kenneth Grace
