I’m in the process of adding no_log: true to all of our playbook tasks that have secrets in them. However, we still want to be able to see the logs when troubleshooting in lower regions, and not have to change any values in our playbooks, as we are afraid someone will turn this off for troubleshooting, and forget to flip it back, then merge this into our production branch (peer reviews aren’t catching this at the moment). So I came up with the idea of using no_log: "{{ ansible_verbosity == 0 }}". So no_log will be true when we do not run the playbook with any verbosity, but when we enable any verbosity we will see the output.
However, my issue is I have a requirement for our production playbooks to always have no_log: true set. Everything that I have seen is that a Job Template name or Project name is not exposed to the playbook, we do have all our projects and job templates names with the development region in them.
Another idea I had was to use an extra_var or a survey item on the Job Template. However, our AAP admin isn’t keen on going back and adding this to all our Job Templates.
Does anyone else have a solution for this? or additional ideas?