Hey, I recently discovered role argument validation and started to include meta/argument_specs.yml in my roles. Some of the input arguments of my role are sensitive values, so I was looking through the documentation to see whether something like no_log exists in this specification, since I’m not aware of any method to mark certain variables as sensitive. This is something I’m used to from terraform. I was afraid that the argument validation might print the sensitive values in case any of the role input arguments don’t comply with this spec and the validation fails.
During my search, I discovered that there are three places where argument validation in form of argument_spec exists and I’m a little confused now.
The first one seems to be for module developers while the other two are for more for endusers like me. The latter two seem to just prepend a special task before the play/role runs (ansible.builtin.validate_argument_spec).
The thing I’m asking myself now is whether all these variants are different or if they are actually the same thing. Are the latter two just subsets of the first one or do they have the same available keywords but it’s just not documented?
Coming back to my the reason why I was searching for this initially, the argument spec in the AnsibleModule documentation has a no_log keyword. The others do not. It in fact has many more keywords that could be useful in a play and role argument_spec, like mutually_exclusive.
So, which keywords can actually be used in the argument_spec for my role? Only those here or also those here?