Thanks. That helps me understand the scope of the various issues.
I’m still surprised at the vault-preserving behavior of to_yaml. Apparently I’ve never used it to emit data containing vaulted strings.
Also, the notion that to_yaml would behave differently from to_json or to_toml or to_whatever doesn’t feel right. On the other hand, json doesn’t have a tagging mechanism like yaml, so…
So to_yaml is a weird one-off. I’m settling on the opinion that there is no correct default when to_yamling data containing vaulted strings. I could see a tags.vaulted parameter which could be either unspecified or one of ['preserve', 'decrypt', 'obfuscate'], then have it fail when it’s unspecified and passed vaulted data. That would leave the door open to deal with other types of tags (“sensitive”, user-defined) down the road which might require other behaviors. (I’d really like an obfuscate option.) That scheme could be adopted by other filters, too. Alas, the “fail” part would be a breaking change, so it would have to be phased in carefully.
I’ve hacked together a community.general.to_yaml and community.general.to_nice_yaml filter which do not preserve vaulted strings:
They work with ansible-core >= 2.16 (which community.general 11.x.y supports; probably also some older ansible-core versions should work).
The obfuscate option sounds interesting, I’ll take a look at that tomorrow. For ansible-core 2.19+ that should be trivial to implement since transform_to_native_types allows setting redact=True; for ansible-core 2.18 and before it’s also trivial since _to_native_types right now calls value.data to decrypt, but can in that case simply return <redacted> (the string that ansible-core 2.19+ returns if redact=True).
The behavior changed for that filter. Doesn’t matter if the code itself didn’t change or not.
Prior to 2.19 piping a vault encrypted string into it, would render the decrypted string, now it renders a representation of said vault encrypted string.
That is changed behavior. Doesn’t matter why that change in behavior occurs, it’s still a change.
The filter’s behaviour has not changed, the data you are feeding it has changed due to a bug being fixed.
This distinction does matter, because if the filter had been changed in such a drastic way it would be reasonable to revert that change to avoid breaking people’s existing Ansible content. Instead the opposite is true: addressing your case by changing the filter’s behaviour would be a breaking change with security implications.
This is not true. Here’s a demonstration of the filter’s behaviour in 2.13 (the oldest version I can easily test in my environment, released in 2022):
