Hide "protected_settings" values from being printed in azure_rm_virtualmachineextension #277

rajsshah86 · 2020-09-29T16:22:06Z

SUMMARY

Most of the ansible modules hide the password/credentials from being printed in the logs. Please note , I am not talking about about specifying no_log: True in the playbook tasks in order to hide info.

For eg. azure_rm_virtualmachine.py has below code

admin_password=dict(type='str', no_log=True)

This makes the admin_password to be printed as below in the logs

"admin_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"

Can we do similar for azure_rm_virtualmachineextension.py file for protected_settings ???
I have already tested this by altering the file azure_rm_virtualmachineextension.py locally as below :

protected_settings=dict(
                type='dict', no_log=True
            )

This works and hence wanted to get the opinion if this can be incorporated ?

I do not want to specify no_log=True in the playbook TASK as I want others parameters to be visible during the execution.

ISSUE TYPE

Bug Report

COMPONENT NAME

azure_rm_virtualmachineextension

ANSIBLE VERSION

ansible 2.8.5
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/opt/ansible/roles']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Jun 11 2019, 14:33:56) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

CONFIGURATION

ANSIBLE_NOCOWS(/etc/ansible/ansible.cfg) = True
ANSIBLE_PIPELINING(/etc/ansible/ansible.cfg) = True
ANY_ERRORS_FATAL(/etc/ansible/ansible.cfg) = True
DEFAULT_MANAGED_STR(/etc/ansible/ansible.cfg) = This file was created by Ansible, do not modify manually.
DEFAULT_MODULE_PATH(/etc/ansible/ansible.cfg) = [u'/opt/ansible/roles']
DEFAULT_PRIVATE_KEY_FILE(/etc/ansible/ansible.cfg) = /root/.ssh/vmadmin
DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = [u'/opt/ansible/roles']
DISPLAY_SKIPPED_HOSTS(/etc/ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
RETRY_FILES_ENABLED(/etc/ansible/ansible.cfg) = False

OS / ENVIRONMENT

Linux abcxyz 3.10.0-957.21.3.el7.x86_64 #1 SMP Fri Jun 14 02:54:29 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux

STEPS TO REPRODUCE

---
- hosts: localhost
  gather_facts: no
  vars:
   azure_key_vault_url: "https://abcxyz.vault.azure.net"
   virtual_machine_name: 'XYZABC'
   virtual_machine_application_resource_group_name: 'RSGXYZABC'
   virtual_machine_log_analytics_linux_agent_version: '1.9'
   workspace_id: '12345678'
   workspace_key: 'secretabc'
   
  tasks:
  
    - name: 'Creating/Updating Linux Log Analytics Extension'
      azure_rm_virtualmachineextension:
        name: "{{ virtual_machine_name }}_log_analytics"
        resource_group: "{{ virtual_machine_application_resource_group_name }}"
        virtual_machine_name: "{{ virtual_machine_name }}"
        publisher: 'Microsoft.EnterpriseCloud.Monitoring'
        virtual_machine_extension_type: 'OmsAgentForLinux'
        type_handler_version: "{{ virtual_machine_log_analytics_linux_agent_version }}"
        settings: '{"workspaceId":"{{ workspace_id }}"}'
        protected_settings: "{'workspaceKey':'{{ lookup('azure_keyvault_secret', workspace_key, vault_url=azure_key_vault_url) }}'}"
        auto_upgrade_minor_version: true

EXPECTED RESULTS

In the logs the value for the protected setting must come as "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
like below :

TASK [azure_virtual_machine : Creating/Updating Linux Log Analytics Extension] *******************************************************************
task path: /home/xxxxxx/agent/_work/r40/a/deployment/s/roles/azure_virtual_machine/tasks/extensions.yml:26
changed: [localhost] => (item=xxxxxx) => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "ansible_loop_var": "item",
    "changed": true,
    "invocation": {
        "module_args": {
            "ad_user": null,
            "adfs_authority_url": null,
            "api_profile": "latest",
            "auth_source": null,
            "auto_upgrade_minor_version": true,
            "cert_validation_mode": null,
            "client_id": null,
            "cloud_environment": "AzureCloud",
            "location": null,
            "name": "XYZABC_log_analytics",
            "password": null,
            "profile": null,
            "protected_settings": {
                "workspaceKey": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
            },
            "publisher": "Microsoft.EnterpriseCloud.Monitoring",
            "resource_group": "RSGXYZABC",
            "secret": null,
            "settings": {
                "workspaceId": "12345678"
            },
            "state": "present",
            "subscription_id": null,
            "tenant": null,
            "type_handler_version": "1.9",
            "virtual_machine_extension_type": "OmsAgentForLinux",
            "virtual_machine_name": "XYZABC"
        }

ACTUAL RESULTS

Right now , the workspace ID ( secret) is getting printed in the logs.

TASK [azure_virtual_machine : Creating/Updating Linux Log Analytics Extension] *******************************************************************
task path: /home/xxxxxx/agent/_work/r40/a/deployment/s/roles/azure_virtual_machine/tasks/extensions.yml:26
changed: [localhost] => (item=xxxxxx) => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "ansible_loop_var": "item",
    "changed": true,
    "invocation": {
        "module_args": {
            "ad_user": null,
            "adfs_authority_url": null,
            "api_profile": "latest",
            "auth_source": null,
            "auto_upgrade_minor_version": true,
            "cert_validation_mode": null,
            "client_id": null,
            "cloud_environment": "AzureCloud",
            "location": null,
            "name": "XYZABC_log_analytics",
            "password": null,
            "profile": null,
            "protected_settings": {
                "workspaceKey": "<ACTUAL_WORKSPACE_KEY_SECRET_GETTING_PRINTED_HERE>"
            },
            "publisher": "Microsoft.EnterpriseCloud.Monitoring",
            "resource_group": "RSGXYZABC",
            "secret": null,
            "settings": {
                "workspaceId": "12345678"
            },
            "state": "present",
            "subscription_id": null,
            "tenant": null,
            "type_handler_version": "1.9",
            "virtual_machine_extension_type": "OmsAgentForLinux",
            "virtual_machine_name": "XYZABC"

The text was updated successfully, but these errors were encountered:

Fred-sun · 2020-09-30T06:31:47Z

@rajsshah86 Thank you for reporting this issue. This is fine. You are welcome to submit a PR to fixes. Thank you!

protected_settings=dict(
                type='dict', no_log=True
            )

Fred-sun added medium_priority Medium priority work in In trying to solve, or in working with contributors labels Sep 30, 2020

rajsshah86 mentioned this issue Sep 30, 2020

added no_log to protected_settings variable #278

Merged

Fred-sun added the has_pr PR fixes have been made label Oct 9, 2020

haiyuazhang closed this as completed in #278 Oct 13, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Hide "protected_settings" values from being printed in azure_rm_virtualmachineextension #277

Hide "protected_settings" values from being printed in azure_rm_virtualmachineextension #277

rajsshah86 commented Sep 29, 2020

Fred-sun commented Sep 30, 2020

Hide "protected_settings" values from being printed in azure_rm_virtualmachineextension #277

Hide "protected_settings" values from being printed in azure_rm_virtualmachineextension #277

Comments

rajsshah86 commented Sep 29, 2020

SUMMARY

ISSUE TYPE

COMPONENT NAME

ANSIBLE VERSION

CONFIGURATION

OS / ENVIRONMENT

STEPS TO REPRODUCE

EXPECTED RESULTS

ACTUAL RESULTS

Fred-sun commented Sep 30, 2020