Question regarding no_log = true

Archives Ansible Project
1

Hi all,

below is my task to run terraform code and vinyl entry for newly created VM on the vsphere Vcenter i have pass my credentials in ansible vault “secrets.yaml” my question is that when i run the playbook in the log i my credentials are visible when i use no_log = true i cant see the log if any error anyone can help me on that how to handle.

name: Building Windows VM |

  • | - |

hosts: localhost |
vars: |
domain: “xyz.test.com” |
vars_files: |

  • variables/vm_data.yaml |
  • secrets.yaml |

tasks: |

  • name: Build_VM

shell: |

cd terraform_config_files/Windows

terraform apply -var ‘vsphere_username={{vsphere_username}}’ -var ‘vsphere_password={{vsphere_password}}’ -var ‘domain_admin_username={{domain_admin_username}}’ -var ‘domain_admin_password={{domain_admin_password}}’ -var ‘vm_admin_password={{vm_admin_password}}’ -auto-approve

register: output

no_log: true

tags:
  • terraform apply
  • name: Vinyl entry

shell: vinylcli create-record-set --access-key {{access_key}} --secret-key {{secret_key}} --record-set-name {{vm_name}} --record-set-ip {{vm_ipv4_address}} --domain {{domain}} --ipcontrol-username {{ipcontrol_username}} --ipcontrol-password ‘{{ipcontrol_password}}’

no_log: true

tags:
  • vinyl_entry
2

Sadly with shell it is an “all or nothing” chioce. If there were a specific vinyl action that could flag the specific fields as no_log.

Also, in general, passing secrets in the command line is not very secure, as any user on that system that can inspect the process list and arguments can see it.

Environment variables are slightly better, but I don’t know enough about vinyl to give you alternatives.