7

I am studying for the RedHat Certified Specialist in Ansible Automation (EX407) and I'm playing around with the no_log module parameter. I have a sample playbook structured as so;

---
- hosts: webservers
  tasks:
  - name: Query vCenter
    vmware_guest:
      hostname: "{{ vcenter['host'] }}"
      username: "{{ vcenter['username'] }}"
      password: "{{ vcenter['password'] }}"
      name: "{{ inventory_hostname }}"
      validate_certs: no
    delegate_to: localhost
    no_log: yes
...

When no_log is disabled, I get a lot of helpful debug information about my VM, but when no_log is disabled I obviously can't protect my playbooks vaulted data (in this case that is the vcenter['username'] and vcenter['password'] values). Enabling no_log cripples my playbooks debug output to just;

"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result",

I would like to know how it is possible to censor only some of the debug output. I know this is possible because vcenter['password'] is protected in it's output regardless of my no_log state. I see this in the verbose output when no_log is disabled;

"invocation": {
        "module_args": {
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "username": "administrator@vsphere.local"
        }
}

What are your thoughts?

Kenneth Grace
  • 151
  • 1
  • 1
  • 7
  • Unfortunately this is a bad design on ansible part, to not allow to hide the inputs, especially in loops, unless you hide everything, that might be even worse. There was an issue to hide the module parameters from the output (https://github.com/ansible/ansible/issues/69373), but they closed it as "by design". In that case it's understandable, but not for loops, whose outputted items can be handled and hidden by ansible (https://github.com/ansible/ansible/issues/38214). Related: https://serverfault.com/questions/1059530 – Lucas Basquerotto Jul 20 '21 at 22:30

1 Answers1

8

So I went digging through the VMWare module source code and this is what I found.

password=dict(type='str',
              aliases=['pass', 'pwd'],
              required=False,
              no_log=True,
              fallback=(env_fallback, ['VMWARE_PASSWORD'])),

Looks like Playbooks just aren't exposing this feature. The VMWare modules themselves are enabling no_log on specific attributes in Python. For my part, this is just another functionality Playbooks are hiding. I really wish it was standard to suppress specific attributes, rather than a whole module, but this is where it stands as of Ansible 2.10.

Kenneth Grace
  • 151
  • 1
  • 1
  • 7
  • Yeah, if there was a way to set a specific variable in Ansible to no_log that'd be handy. Like `vars.var1.value` and `vars.var1.no_log=true` I'd be happy. – FilBot3 Dec 12 '22 at 20:27