Skip to content
This repository has been archived by the owner on Aug 18, 2023. It is now read-only.

Commit

Permalink
Mask environment configuration with no_log
Browse files Browse the repository at this point in the history
Environment files are frequently used to inject sensitive values to daemons. This change enables the no_log flag on this task.

Alternatively, we could have two tasks that do the same thing and require users to opt out/in like such:

```yaml
prometheus_my_exporter_env_vars:
   foo: 'not a secret, i like my diffs'
prometheus_my_exporter_env_insensitive: true
```
  • Loading branch information
dekimsey committed Aug 26, 2021
1 parent 378b74a commit 9205e25
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
1 change: 1 addition & 0 deletions tasks/_service.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
notify:
- Restart Prometheus service
when: prometheus_software_env_vars is defined and prometheus_software_env_vars
no_log: True

- name: Include task to setup {{ prometheus_software_name_version }} {{ ansible_service_mgr }} service
include_tasks: '_service_mgr_{{ ansible_service_mgr | regex_replace("^(openrc|upstart)$", "init") }}.yml'
Expand Down
6 changes: 5 additions & 1 deletion tasks/_setup_software_facts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,6 @@
- name: Set {{ prometheus_software_name }} generic facts
set_fact:
prometheus_software_build_prerequisites: '{{ prometheus_software_os_options.build_prerequisites | default([]) }}'
prometheus_software_env_vars: '{{ lookup("vars", "prometheus_" + prometheus_software_name + "_env_vars", default={}) }}'
prometheus_software_extra_opts: '{{ lookup("vars", "prometheus_" + prometheus_software_name + "_extra_opts", default="") }}'
prometheus_software_fallback_to_build: >-
{{ lookup("vars", "prometheus_" + prometheus_software_name + "_fallback_to_build", default=prometheus_fallback_to_build) }}
Expand All @@ -141,3 +140,8 @@
{% endif %}"
prometheus_software_tgroup_jobname: >-
{{ lookup("vars", "prometheus_" + prometheus_software_name + "_jobname", default=prometheus_software_default_jobname) }}
- name: Set {{ prometheus_software_name }} sensitive facts
set_fact:
prometheus_software_env_vars: '{{ lookup("vars", "prometheus_" + prometheus_software_name + "_env_vars", default={}) }}'
no_log: true

0 comments on commit 9205e25

Please sign in to comment.