[security] Add more missing no_logs (#74116)

Change: - Add missing no_log on fields and subfields which should have it. - Update several changelogs with CVE id. Signed-off-by: Rick Elrod <rick@elrod.me>
5 years ago · 6ac19b7757
parent 6ed3e37df1
commit 6ac19b7757
50 changed files with 146 additions and 96 deletions
--- a/changelogs/fragments/471-no_log.yml
+++ b/changelogs/fragments/471-no_log.yml
@ -1,2 +1,2 @@
 security_fixes:
- aws_secret - flag the ``secret`` parameter as containing sensitive data which shouldn't be logged (https://github.com/ansible-collections/community.aws/pull/471).
+- aws_secret - flag the ``secret`` parameter as containing sensitive data which shouldn't be logged (https://github.com/ansible-collections/community.aws/pull/471) (CVE-2021-3447).
--- a/changelogs/fragments/community.aws-475-no_log-missing.yml
+++ b/changelogs/fragments/community.aws-475-no_log-missing.yml
@ -1,4 +1,4 @@
 security_fixes:
- "aws_direct_connect_virtual_interface - mark the ``authentication_key`` parameter as ``no_log`` to avoid accidental leaking of secrets in logs (https://github.com/ansible-collections/community.aws/pull/475)."
+- "aws_direct_connect_virtual_interface - mark the ``authentication_key`` parameter as ``no_log`` to avoid accidental leaking of secrets in logs (https://github.com/ansible-collections/community.aws/pull/475). (CVE-2021-3447)"
- "sts_assume_role - mark the ``mfa_token`` parameter as ``no_log`` to avoid accidental leaking of secrets in logs (https://github.com/ansible-collections/community.aws/pull/475)."
+- "sts_assume_role - mark the ``mfa_token`` parameter as ``no_log`` to avoid accidental leaking of secrets in logs (https://github.com/ansible-collections/community.aws/pull/475). (CVE-2021-3447)"
- "sts_session_token - mark the ``mfa_token`` parameter as ``no_log`` to avoid accidental leaking of secrets in logs (https://github.com/ansible-collections/community.aws/pull/475)."
+- "sts_session_token - mark the ``mfa_token`` parameter as ``no_log`` to avoid accidental leaking of secrets in logs (https://github.com/ansible-collections/community.aws/pull/475). (CVE-2021-3447)"
--- a/changelogs/fragments/community.docker-103-docker_swarm-no_log.yml
+++ b/changelogs/fragments/community.docker-103-docker_swarm-no_log.yml
@ -1,4 +1,4 @@
 security_fixes:
- "docker_swarm - the ``join_token`` option is now marked as ``no_log`` so it is no longer written into logs (https://github.com/ansible-collections/community.docker/pull/103)."
+- "docker_swarm - the ``join_token`` option is now marked as ``no_log`` so it is no longer written into logs (https://github.com/ansible-collections/community.docker/pull/103). (CVE-2021-3447)"
 breaking_changes:
- "docker_swarm - if ``join_token`` is specified, a returned join token with the same value will be replaced by ``VALUE_SPECIFIED_IN_NO_LOG_PARAMETER``. Make sure that you do not blindly use the join tokens from the return value of this module when the module is invoked with ``join_token`` specified! This breaking change appears in a minor release since it is necessary to fix a security issue (https://github.com/ansible-collections/community.docker/pull/103)."
+- "docker_swarm - if ``join_token`` is specified, a returned join token with the same value will be replaced by ``VALUE_SPECIFIED_IN_NO_LOG_PARAMETER``. Make sure that you do not blindly use the join tokens from the return value of this module when the module is invoked with ``join_token`` specified! This breaking change appears in a minor release since it is necessary to fix a security issue (https://github.com/ansible-collections/community.docker/pull/103). (CVE-2021-3447)"
--- a/changelogs/fragments/community.general-2018-missing-no_log-again.yml
+++ b/changelogs/fragments/community.general-2018-missing-no_log-again.yml
@ -1,2 +1,2 @@
 security_fixes:
- "na_cdot_user - mark the ``set_password`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/2018)."
+- "na_cdot_user - mark the ``set_password`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/2018). (CVE-2021-3447)"
--- a/changelogs/fragments/community.network-223-no_log-missing.yml
+++ b/changelogs/fragments/community.network-223-no_log-missing.yml
@ -1,4 +1,4 @@
 security_fixes:
- "avi_webhook - mark the ``verification_token`` parameter as ``no_log`` to prevent potential leaking of secret values (https://github.com/ansible-collections/community.network/pull/223)."
+- "avi_webhook - mark the ``verification_token`` parameter as ``no_log`` to prevent potential leaking of secret values (https://github.com/ansible-collections/community.network/pull/223). (CVE-2021-3447)"
- "avi_sslkeyandcertificate - mark the ``enckey_base64`` parameter as ``no_log`` to prevent potential leaking of secret values (https://github.com/ansible-collections/community.network/pull/223)."
+- "avi_sslkeyandcertificate - mark the ``enckey_base64`` parameter as ``no_log`` to prevent potential leaking of secret values (https://github.com/ansible-collections/community.network/pull/223). (CVE-2021-3447)"
- "avi_cloudconnectoruser - mark the ``azure_userpass`` parameter as ``no_log`` to prevent leaking of secret values (https://github.com/ansible-collections/community.network/pull/223)."
+- "avi_cloudconnectoruser - mark the ``azure_userpass`` parameter as ``no_log`` to prevent leaking of secret values (https://github.com/ansible-collections/community.network/pull/223). (CVE-2021-3447)"
--- a/changelogs/fragments/more-no_log-fixes.yml
+++ b/changelogs/fragments/more-no_log-fixes.yml
@ -0,0 +1,46 @@
 security_fixes:
  - azure_rm_devtestlabartifactsource - ``security_token`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - bigip_device_license - ``license_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - bigip_dns_nameserver - ``tsig_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - bigip_dns_zone - ``tsig_server_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - bigip_profile_client_ssl - ``key`` and ``passphrase`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_dlp_fp_doc_source - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_endpoint_control_forticlient_ems - ``admin_password`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_endpoint_control_profile - ``preshared_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_endpoint_control_settings - ``forticlient_reg_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_extender_controller_extender - ``aaa_shared_secret``, ``ha_shared_secret``, ``modem_passwd``, and ``ppp_password`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_firewall_ssh_local_ca - ``password`` and ``private_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_firewall_ssh_local_key - ``password`` and ``private_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_log_disk_setting - ``uploadpass`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_router_bgp - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_router_ospf - ``authentication_key`` and `md5_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_router_rip - ``auth_string`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_system_admin - ``fortitoken`` and ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_system_api_user - ``api_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_system_interface - ``password`` and ``pptp_password`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_system_sdn_connector - ``access_key``, ``client_secret``, ``key_passwd``, ``password``, ``private_key``, and ``secret_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_system_virtual_wan_link - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_user_radius - ``secret``, ``rsso_secret``, ``secondary_secret``, and ``tertiary_secret`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_user_tacacsplus - ``key``, ``secondary_key``, and ``tertiary_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_vpn_ipsec_manualkey - ``authkey`` and ``enckey`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_vpn_ipsec_manualkey_interface - ``auth_key`` and ``enc_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_vpn_ipsec_phase1 - ``authpasswd``, ``group_authentication_secret``, ``ppk_secret``, ``psksecret``, and ``psksecret_remote`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_vpn_ipsec_phase1_interface - ``authpasswd``, ``group_authentication_secret``, ``ppk_secret``, ``psksecret``, and ``psksecret_remote`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_vpn_ssl_web_portal - ``logon_password`` and ``sso_password`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_wireless_controller_vap - ``captive_portal_macauth_radius_secret``, ``captive_portal_radius_secret``, ``key``, and ``passphrase`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_wireless_controller_wtp - ``login_passwd`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - fortios_wireless_controller_wtp_profile - ``fortipresence_secret`` and ``login_passwd`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - gcp_compute_instance - ``raw_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - gcp_container_cluster - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - gcp_sql_instance - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - ios_ntp - ``auth_key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - logentries_msg - ``token`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - na_elementsw_cluster_snmp - ``password`` and ``passphrase`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - netscaler_lb_monitor - ``password`` and ``secondarypassword`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - nxos_aaa_server_host - ``key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - ovirt_auth - ``token`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - pingdom - ``key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - rollbar_deployment - ``token` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - stackdriver - ``key`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - tower_credential - ``security_token`` and ``secret`` no longer appears in logs (``no_log``) (CVE-2021-3447)
  - zabbix_action - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447)
--- a/lib/ansible/modules/cloud/azure/azure_rm_devtestlabartifactsource.py
+++ b/lib/ansible/modules/cloud/azure/azure_rm_devtestlabartifactsource.py
@ -164,7 +164,8 @@ class AzureRMDevTestLabArtifactsSource(AzureRMModuleBase):
                type='str'
            ),
            security_token=dict(
-                type='str'
+                type='str',
                no_log=True
            ),
            is_enabled=dict(
                type='bool'
--- a/lib/ansible/modules/cloud/google/gcp_compute_instance.py
+++ b/lib/ansible/modules/cloud/google/gcp_compute_instance.py
@ -889,7 +889,10 @@ def main():
                    auto_delete=dict(type='bool'),
                    boot=dict(type='bool'),
                    device_name=dict(type='str'),
-                    disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), rsa_encrypted_key=dict(type='str'))),
+                    disk_encryption_key=dict(
                        type='dict',
                        options=dict(raw_key=dict(type='str', no_log=True), rsa_encrypted_key=dict(type='str', no_log=True))
                    ),
                    index=dict(type='int'),
                    initialize_params=dict(
                        type='dict',
@ -898,7 +901,7 @@ def main():
                            disk_size_gb=dict(type='int'),
                            disk_type=dict(type='str'),
                            source_image=dict(type='str', aliases=['image', 'image_family']),
-                            source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
+                            source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
                        ),
                    ),
                    interface=dict(type='str', choices=['SCSI', 'NVME']),
--- a/lib/ansible/modules/cloud/google/gcp_sql_instance.py
+++ b/lib/ansible/modules/cloud/google/gcp_sql_instance.py
@ -630,7 +630,7 @@ def main():
                            connect_retry_interval=dict(type='int'),
                            dump_file_path=dict(type='str'),
                            master_heartbeat_period=dict(type='int'),
-                            password=dict(type='str'),
+                            password=dict(type='str', no_log=True),
                            ssl_cipher=dict(type='str'),
                            username=dict(type='str'),
                            verify_server_certificate=dict(type='bool'),
--- a/lib/ansible/modules/cloud/ovirt/ovirt_auth.py
+++ b/lib/ansible/modules/cloud/ovirt/ovirt_auth.py
@ -223,7 +223,7 @@ def main():
            kerberos=dict(required=False, type='bool', default=False),
            headers=dict(required=False, type='dict'),
            state=dict(default='present', choices=['present', 'absent']),
-            token=dict(default=None),
+            token=dict(default=None, no_log=True),
            ovirt_auth=dict(required=None, type='dict'),
        ),
        required_if=[
--- a/lib/ansible/modules/monitoring/pingdom.py
+++ b/lib/ansible/modules/monitoring/pingdom.py
@ -113,7 +113,7 @@ def main():
            checkid=dict(required=True),
            uid=dict(required=True),
            passwd=dict(required=True, no_log=True),
-            key=dict(required=True)
+            key=dict(required=True, no_log=True)
        )
    )
--- a/lib/ansible/modules/monitoring/rollbar_deployment.py
+++ b/lib/ansible/modules/monitoring/rollbar_deployment.py
@ -83,7 +83,7 @@ def main():
    module = AnsibleModule(
        argument_spec=dict(
-            token=dict(required=True),
+            token=dict(required=True, no_log=True),
            environment=dict(required=True),
            revision=dict(required=True),
            user=dict(required=False),
--- a/lib/ansible/modules/monitoring/stackdriver.py
+++ b/lib/ansible/modules/monitoring/stackdriver.py
@ -144,7 +144,7 @@ def main():
    module = AnsibleModule(
        argument_spec=dict(
-            key=dict(required=True),
+            key=dict(required=True, no_log=True),
            event=dict(required=True, choices=['deploy', 'annotation']),
            msg=dict(),
            revision_id=dict(),
--- a/lib/ansible/modules/monitoring/zabbix/zabbix_action.py
+++ b/lib/ansible/modules/monitoring/zabbix/zabbix_action.py
@ -1735,7 +1735,7 @@ def main():
                        required=False,
                        choices=['agent', 'server', 'proxy']
                    ),
-                    password=dict(type='str', required=False),
+                    password=dict(type='str', required=False, no_log=True),
                    port=dict(type='int', required=False),
                    run_on_groups=dict(type='list', required=False),
                    run_on_hosts=dict(type='list', required=False),
@ -1827,7 +1827,7 @@ def main():
                        required=False,
                        choices=['agent', 'server', 'proxy']
                    ),
-                    password=dict(type='str', required=False),
+                    password=dict(type='str', required=False, no_log=True),
                    port=dict(type='int', required=False),
                    run_on_groups=dict(type='list', required=False),
                    run_on_hosts=dict(type='list', required=False),
@ -1911,7 +1911,7 @@ def main():
                        required=False,
                        choices=['agent', 'server', 'proxy']
                    ),
-                    password=dict(type='str', required=False),
+                    password=dict(type='str', required=False, no_log=True),
                    port=dict(type='int', required=False),
                    run_on_groups=dict(type='list', required=False),
                    run_on_hosts=dict(type='list', required=False),
--- a/lib/ansible/modules/network/f5/bigip_device_license.py
+++ b/lib/ansible/modules/network/f5/bigip_device_license.py
@ -847,7 +847,7 @@ class ArgumentSpec(object):
    def __init__(self):
        self.supports_check_mode = True
        argument_spec = dict(
-            license_key=dict(),
+            license_key=dict(no_log=True),
            license_server=dict(
                default='activate.f5.com'
            ),
--- a/lib/ansible/modules/network/f5/bigip_dns_nameserver.py
+++ b/lib/ansible/modules/network/f5/bigip_dns_nameserver.py
@ -433,7 +433,7 @@ class ArgumentSpec(object):
            address=dict(),
            service_port=dict(),
            route_domain=dict(),
-            tsig_key=dict(),
+            tsig_key=dict(no_log=True),
            state=dict(
                default='present',
                choices=['present', 'absent']
--- a/lib/ansible/modules/network/f5/bigip_dns_zone.py
+++ b/lib/ansible/modules/network/f5/bigip_dns_zone.py
@ -579,7 +579,7 @@ class ArgumentSpec(object):
                )
            ),
            nameservers=dict(type='list'),
-            tsig_server_key=dict(),
+            tsig_server_key=dict(no_log=True),
            partition=dict(
                default='Common',
                fallback=(env_fallback, ['F5_PARTITION'])
--- a/lib/ansible/modules/network/f5/bigip_profile_client_ssl.py
+++ b/lib/ansible/modules/network/f5/bigip_profile_client_ssl.py
@ -1053,9 +1053,9 @@ class ArgumentSpec(object):
                type='list',
                options=dict(
                    cert=dict(required=True),
-                    key=dict(required=True),
+                    key=dict(required=True, no_log=True),
                    chain=dict(),
-                    passphrase=dict()
+                    passphrase=dict(no_log=True)
                )
            ),
            state=dict(
--- a/lib/ansible/modules/network/fortios/fortios_dlp_fp_doc_source.py
+++ b/lib/ansible/modules/network/fortios/fortios_dlp_fp_doc_source.py
@ -345,7 +345,7 @@ def main():
                "keep-modified": {"required": False, "type": "str",
                                  "choices": ["enable", "disable"]},
                "name": {"required": True, "type": "str"},
-                "password": {"required": False, "type": "str"},
+                "password": {"required": False, "type": "str", "no_log": True},
                "period": {"required": False, "type": "str",
                           "choices": ["none", "daily", "weekly",
                                       "monthly"]},
--- a/lib/ansible/modules/network/fortios/fortios_endpoint_control_forticlient_ems.py
+++ b/lib/ansible/modules/network/fortios/fortios_endpoint_control_forticlient_ems.py
@ -280,7 +280,7 @@ def main():
                "state": {"required": True, "type": "str",
                          "choices": ["present", "absent"]},
                "address": {"required": False, "type": "str"},
-                "admin-password": {"required": False, "type": "str"},
+                "admin-password": {"required": False, "type": "str", "no_log": True},
                "admin-type": {"required": False, "type": "str",
                               "choices": ["Windows", "LDAP"]},
                "admin-username": {"required": False, "type": "str"},
--- a/lib/ansible/modules/network/fortios/fortios_endpoint_control_profile.py
+++ b/lib/ansible/modules/network/fortios/fortios_endpoint_control_profile.py
@ -826,7 +826,7 @@ def main():
                                                                                      "auth-method": {"required": False, "type": "str",
                                                                                                      "choices": ["psk", "certificate"]},
                                                                                      "name": {"required": True, "type": "str"},
-                                                                                      "preshared-key": {"required": False, "type": "str"},
+                                                                                      "preshared-key": {"required": False, "type": "str", "no_log": True},
                                                                                      "remote-gw": {"required": False, "type": "str"},
                                                                                      "sslvpn-access-port": {"required": False, "type": "int"},
                                                                                      "sslvpn-require-certificate": {"required": False, "type": "str",
@ -847,7 +847,7 @@ def main():
                                                                             "auth-method": {"required": False, "type": "str",
                                                                                             "choices": ["psk", "certificate"]},
                                                                             "name": {"required": True, "type": "str"},
-                                                                             "preshared-key": {"required": False, "type": "str"},
+                                                                             "preshared-key": {"required": False, "type": "str", "no_log": True},
                                                                             "remote-gw": {"required": False, "type": "str"},
                                                                             "sslvpn-access-port": {"required": False, "type": "int"},
                                                                             "sslvpn-require-certificate": {"required": False, "type": "str",
--- a/lib/ansible/modules/network/fortios/fortios_endpoint_control_settings.py
+++ b/lib/ansible/modules/network/fortios/fortios_endpoint_control_settings.py
@ -299,7 +299,7 @@ def main():
                "forticlient-offline-grace": {"required": False, "type": "str",
                                              "choices": ["enable", "disable"]},
                "forticlient-offline-grace-interval": {"required": False, "type": "int"},
-                "forticlient-reg-key": {"required": False, "type": "str"},
+                "forticlient-reg-key": {"required": False, "type": "str", "no_log": True},
                "forticlient-reg-key-enforce": {"required": False, "type": "str",
                                                "choices": ["enable", "disable"]},
                "forticlient-reg-timeout": {"required": False, "type": "int"},
--- a/lib/ansible/modules/network/fortios/fortios_extender_controller_extender.py
+++ b/lib/ansible/modules/network/fortios/fortios_extender_controller_extender.py
@ -442,7 +442,7 @@ def main():
            "options": {
                "state": {"required": True, "type": "str",
                          "choices": ["present", "absent"]},
-                "aaa-shared-secret": {"required": False, "type": "str"},
+                "aaa-shared-secret": {"required": False, "type": "str", "no_log": True},
                "access-point-name": {"required": False, "type": "str"},
                "admin": {"required": False, "type": "str",
                          "choices": ["disable", "discovered", "enable"]},
@ -457,14 +457,14 @@ def main():
                              "choices": ["dial-on-demand", "always-connect"]},
                "dial-status": {"required": False, "type": "int"},
                "ext-name": {"required": False, "type": "str"},
-                "ha-shared-secret": {"required": False, "type": "str"},
+                "ha-shared-secret": {"required": False, "type": "str", "no_log": True},
                "id": {"required": True, "type": "str"},
                "ifname": {"required": False, "type": "str"},
                "initiated-update": {"required": False, "type": "str",
                                     "choices": ["enable", "disable"]},
                "mode": {"required": False, "type": "str",
                         "choices": ["standalone", "redundant"]},
-                "modem-passwd": {"required": False, "type": "str"},
+                "modem-passwd": {"required": False, "type": "str", "no_log": True},
                "modem-type": {"required": False, "type": "str",
                               "choices": ["cdma", "gsm/lte", "wimax"]},
                "multi-mode": {"required": False, "type": "str",
@ -474,7 +474,7 @@ def main():
                                      "choices": ["auto", "pap", "chap"]},
                "ppp-echo-request": {"required": False, "type": "str",
                                     "choices": ["enable", "disable"]},
-                "ppp-password": {"required": False, "type": "str"},
+                "ppp-password": {"required": False, "type": "str", "no_log": True},
                "ppp-username": {"required": False, "type": "str"},
                "primary-ha": {"required": False, "type": "str"},
                "quota-limit-mb": {"required": False, "type": "int"},
--- a/lib/ansible/modules/network/fortios/fortios_firewall_ssh_local_ca.py
+++ b/lib/ansible/modules/network/fortios/fortios_firewall_ssh_local_ca.py
@ -256,8 +256,8 @@ def main():
                "state": {"required": True, "type": "str",
                          "choices": ["present", "absent"]},
                "name": {"required": True, "type": "str"},
-                "password": {"required": False, "type": "str"},
+                "password": {"required": False, "type": "str", "no_log": True},
-                "private-key": {"required": False, "type": "str"},
+                "private-key": {"required": False, "type": "str", "no_log": True},
                "public-key": {"required": False, "type": "str"},
                "source": {"required": False, "type": "str",
                           "choices": ["built-in", "user"]}
--- a/lib/ansible/modules/network/fortios/fortios_firewall_ssh_local_key.py
+++ b/lib/ansible/modules/network/fortios/fortios_firewall_ssh_local_key.py
@ -256,8 +256,8 @@ def main():
                "state": {"required": True, "type": "str",
                          "choices": ["present", "absent"]},
                "name": {"required": True, "type": "str"},
-                "password": {"required": False, "type": "str"},
+                "password": {"required": False, "type": "str", "no_log": True},
-                "private-key": {"required": False, "type": "str"},
+                "private-key": {"required": False, "type": "str", "no_log": True},
                "public-key": {"required": False, "type": "str"},
                "source": {"required": False, "type": "str",
                           "choices": ["built-in", "user"]}
--- a/lib/ansible/modules/network/fortios/fortios_log_disk_setting.py
+++ b/lib/ansible/modules/network/fortios/fortios_log_disk_setting.py
@ -422,7 +422,7 @@ def main():
                                                "disable"]},
                "uploaddir": {"required": False, "type": "str"},
                "uploadip": {"required": False, "type": "str"},
-                "uploadpass": {"required": False, "type": "str"},
+                "uploadpass": {"required": False, "type": "str", "no_log": True},
                "uploadport": {"required": False, "type": "int"},
                "uploadsched": {"required": False, "type": "str",
                                "choices": ["disable", "enable"]},
--- a/lib/ansible/modules/network/fortios/fortios_router_bgp.py
+++ b/lib/ansible/modules/network/fortios/fortios_router_bgp.py
@ -1794,7 +1794,7 @@ def main():
                                                         "choices": ["enable", "disable"]},
                                 "passive": {"required": False, "type": "str",
                                             "choices": ["enable", "disable"]},
-                                 "password": {"required": False, "type": "str"},
+                                 "password": {"required": False, "type": "str", "no_log": True},
                                 "prefix-list-in": {"required": False, "type": "str"},
                                 "prefix-list-in6": {"required": False, "type": "str"},
                                 "prefix-list-out": {"required": False, "type": "str"},
--- a/lib/ansible/modules/network/fortios/fortios_router_ospf.py
+++ b/lib/ansible/modules/network/fortios/fortios_router_ospf.py
@ -841,7 +841,7 @@ def main():
                                              "options": {
                                                  "authentication": {"required": False, "type": "str",
                                                                     "choices": ["none", "text", "md5"]},
-                                                  "authentication-key": {"required": False, "type": "str"},
+                                                  "authentication-key": {"required": False, "type": "str", "no_log": True},
                                                  "dead-interval": {"required": False, "type": "int"},
                                                  "hello-interval": {"required": False, "type": "int"},
                                                  "md5-key": {"required": False, "type": "str"},
@ -898,7 +898,7 @@ def main():
                                   "options": {
                                       "authentication": {"required": False, "type": "str",
                                                          "choices": ["none", "text", "md5"]},
-                                       "authentication-key": {"required": False, "type": "str"},
+                                       "authentication-key": {"required": False, "type": "str", "no_log": True},
                                       "bfd": {"required": False, "type": "str",
                                               "choices": ["global", "enable", "disable"]},
                                       "cost": {"required": False, "type": "int"},
@ -909,7 +909,7 @@ def main():
                                       "hello-multiplier": {"required": False, "type": "int"},
                                       "interface": {"required": False, "type": "str"},
                                       "ip": {"required": False, "type": "str"},
-                                       "md5-key": {"required": False, "type": "str"},
+                                       "md5-key": {"required": False, "type": "str", "no_log": True},
                                       "mtu": {"required": False, "type": "int"},
                                       "mtu-ignore": {"required": False, "type": "str",
                                                      "choices": ["enable", "disable"]},
--- a/lib/ansible/modules/network/fortios/fortios_router_rip.py
+++ b/lib/ansible/modules/network/fortios/fortios_router_rip.py
@ -522,7 +522,7 @@ def main():
                                  "auth-keychain": {"required": False, "type": "str"},
                                  "auth-mode": {"required": False, "type": "str",
                                                "choices": ["none", "text", "md5"]},
-                                  "auth-string": {"required": False, "type": "str"},
+                                  "auth-string": {"required": False, "type": "str", "no_log": True},
                                  "flags": {"required": False, "type": "int"},
                                  "name": {"required": True, "type": "str"},
                                  "receive-version": {"required": False, "type": "str",
--- a/lib/ansible/modules/network/fortios/fortios_system_admin.py
+++ b/lib/ansible/modules/network/fortios/fortios_system_admin.py
@ -763,7 +763,7 @@ def main():
                "email-to": {"required": False, "type": "str"},
                "force-password-change": {"required": False, "type": "str",
                                          "choices": ["enable", "disable"]},
-                "fortitoken": {"required": False, "type": "str"},
+                "fortitoken": {"required": False, "type": "str", "no_log": True},
                "guest-auth": {"required": False, "type": "str",
                               "choices": ["disable", "enable"]},
                "guest-lang": {"required": False, "type": "str"},
@ -855,7 +855,7 @@ def main():
                                   "usr-name": {"required": True, "type": "str"}
                               }},
                "name": {"required": True, "type": "str"},
-                "password": {"required": False, "type": "str"},
+                "password": {"required": False, "type": "str", "no_log": True},
                "password-expire": {"required": False, "type": "str"},
                "peer-auth": {"required": False, "type": "str",
                              "choices": ["enable", "disable"]},
--- a/lib/ansible/modules/network/fortios/fortios_system_api_user.py
+++ b/lib/ansible/modules/network/fortios/fortios_system_api_user.py
@ -320,7 +320,7 @@ def main():
                "state": {"required": True, "type": "str",
                          "choices": ["present", "absent"]},
                "accprofile": {"required": False, "type": "str"},
-                "api-key": {"required": False, "type": "str"},
+                "api-key": {"required": False, "type": "str", "no_log": True},
                "comments": {"required": False, "type": "str"},
                "cors-allow-origin": {"required": False, "type": "str"},
                "name": {"required": True, "type": "str"},
--- a/lib/ansible/modules/network/fortios/fortios_system_interface.py
+++ b/lib/ansible/modules/network/fortios/fortios_system_interface.py
@ -2050,7 +2050,7 @@ def main():
                                                "both"]},
                "outbandwidth": {"required": False, "type": "int"},
                "padt-retry-timeout": {"required": False, "type": "int"},
-                "password": {"required": False, "type": "str"},
+                "password": {"required": False, "type": "str", "no_log": True},
                "ping-serv-status": {"required": False, "type": "int"},
                "polling-interval": {"required": False, "type": "int"},
                "pppoe-unnumbered-negotiate": {"required": False, "type": "str",
@ -2060,7 +2060,7 @@ def main():
                                               "mschapv1", "mschapv2"]},
                "pptp-client": {"required": False, "type": "str",
                                "choices": ["enable", "disable"]},
-                "pptp-password": {"required": False, "type": "str"},
+                "pptp-password": {"required": False, "type": "str", "no_log": True},
                "pptp-server-ip": {"required": False, "type": "str"},
                "pptp-timeout": {"required": False, "type": "int"},
                "pptp-user": {"required": False, "type": "str"},
--- a/lib/ansible/modules/network/fortios/fortios_system_sdn_connector.py
+++ b/lib/ansible/modules/network/fortios/fortios_system_sdn_connector.py
@ -450,19 +450,19 @@ def main():
            "options": {
                "state": {"required": True, "type": "str",
                          "choices": ["present", "absent"]},
-                "access-key": {"required": False, "type": "str"},
+                "access-key": {"required": False, "type": "str", "no_log": True},
                "azure-region": {"required": False, "type": "str",
                                 "choices": ["global", "china", "germany",
                                             "usgov"]},
                "client-id": {"required": False, "type": "str"},
-                "client-secret": {"required": False, "type": "str"},
+                "client-secret": {"required": False, "type": "str", "no_log": True},
                "compartment-id": {"required": False, "type": "str"},
                "external-ip": {"required": False, "type": "list",
                                "options": {
                                    "name": {"required": True, "type": "str"}
                                }},
                "gcp-project": {"required": False, "type": "str"},
-                "key-passwd": {"required": False, "type": "str"},
+                "key-passwd": {"required": False, "type": "str", "no_log": True},
                "name": {"required": True, "type": "str"},
                "nic": {"required": False, "type": "list",
                        "options": {
@ -478,8 +478,8 @@ def main():
                "oci-region": {"required": False, "type": "str",
                               "choices": ["phoenix", "ashburn", "frankfurt",
                                           "london"]},
-                "password": {"required": False, "type": "str"},
+                "password": {"required": False, "type": "str", "no_log": True},
-                "private-key": {"required": False, "type": "str"},
+                "private-key": {"required": False, "type": "str", "no_log": True},
                "region": {"required": False, "type": "str"},
                "resource-group": {"required": False, "type": "str"},
                "route": {"required": False, "type": "list",
@ -495,7 +495,7 @@ def main():
                                                  "next-hop": {"required": False, "type": "str"}
                                              }}
                                }},
-                "secret-key": {"required": False, "type": "str"},
+                "secret-key": {"required": False, "type": "str", "no_log": True},
                "server": {"required": False, "type": "str"},
                "server-port": {"required": False, "type": "int"},
                "service-account": {"required": False, "type": "str"},
--- a/lib/ansible/modules/network/fortios/fortios_system_virtual_wan_link.py
+++ b/lib/ansible/modules/network/fortios/fortios_system_virtual_wan_link.py
@ -812,7 +812,7 @@ def main():
                                                 }},
                                     "name": {"required": True, "type": "str"},
                                     "packet-size": {"required": False, "type": "int"},
-                                     "password": {"required": False, "type": "str"},
+                                     "password": {"required": False, "type": "str", "no_log": True},
                                     "port": {"required": False, "type": "int"},
                                     "protocol": {"required": False, "type": "str",
                                                  "choices": ["ping", "tcp-echo", "udp-echo",
--- a/lib/ansible/modules/network/fortios/fortios_user_radius.py
+++ b/lib/ansible/modules/network/fortios/fortios_user_radius.py
@ -575,7 +575,7 @@ def main():
                                      "options": {
                                          "id": {"required": True, "type": "int"},
                                          "port": {"required": False, "type": "int"},
-                                          "secret": {"required": False, "type": "str"},
+                                          "secret": {"required": False, "type": "str", "no_log": True},
                                          "server": {"required": False, "type": "str"},
                                          "source-ip": {"required": False, "type": "str"},
                                          "status": {"required": False, "type": "str",
@ -637,11 +637,11 @@ def main():
                "rsso-radius-response": {"required": False, "type": "str",
                                         "choices": ["enable", "disable"]},
                "rsso-radius-server-port": {"required": False, "type": "int"},
-                "rsso-secret": {"required": False, "type": "str"},
+                "rsso-secret": {"required": False, "type": "str", "no_log": True},
                "rsso-validate-request-secret": {"required": False, "type": "str",
                                                 "choices": ["enable", "disable"]},
                "secondary-secret": {"required": False, "type": "str"},
-                "secondary-server": {"required": False, "type": "str"},
+                "secondary-server": {"required": False, "type": "str", "no_log": True},
                "secret": {"required": False, "type": "str"},
                "server": {"required": False, "type": "str"},
                "source-ip": {"required": False, "type": "str"},
@ -657,7 +657,7 @@ def main():
                "sso-attribute-key": {"required": False, "type": "str"},
                "sso-attribute-value-override": {"required": False, "type": "str",
                                                 "choices": ["enable", "disable"]},
-                "tertiary-secret": {"required": False, "type": "str"},
+                "tertiary-secret": {"required": False, "type": "str", "no_log": True},
                "tertiary-server": {"required": False, "type": "str"},
                "timeout": {"required": False, "type": "int"},
                "use-management-vdom": {"required": False, "type": "str",
--- a/lib/ansible/modules/network/fortios/fortios_user_tacacsplus.py
+++ b/lib/ansible/modules/network/fortios/fortios_user_tacacsplus.py
@ -292,14 +292,14 @@ def main():
                                            "ascii", "auto"]},
                "authorization": {"required": False, "type": "str",
                                  "choices": ["enable", "disable"]},
-                "key": {"required": False, "type": "str"},
+                "key": {"required": False, "type": "str", "no_log": True},
                "name": {"required": True, "type": "str"},
                "port": {"required": False, "type": "int"},
-                "secondary-key": {"required": False, "type": "str"},
+                "secondary-key": {"required": False, "type": "str", "no_log": True},
                "secondary-server": {"required": False, "type": "str"},
                "server": {"required": False, "type": "str"},
                "source-ip": {"required": False, "type": "str"},
-                "tertiary-key": {"required": False, "type": "str"},
+                "tertiary-key": {"required": False, "type": "str", "no_log": True},
                "tertiary-server": {"required": False, "type": "str"}
            }
--- a/lib/ansible/modules/network/fortios/fortios_vpn_ipsec_manualkey.py
+++ b/lib/ansible/modules/network/fortios/fortios_vpn_ipsec_manualkey.py
@ -307,8 +307,8 @@ def main():
                "authentication": {"required": False, "type": "str",
                                   "choices": ["null", "md5", "sha1",
                                               "sha256", "sha384", "sha512"]},
-                "authkey": {"required": False, "type": "str"},
+                "authkey": {"required": False, "type": "str", "no_log": True},
-                "enckey": {"required": False, "type": "str"},
+                "enckey": {"required": False, "type": "str", "no_log": True},
                "encryption": {"required": False, "type": "str",
                               "choices": ["null", "des"]},
                "interface": {"required": False, "type": "str"},
--- a/lib/ansible/modules/network/fortios/fortios_vpn_ipsec_manualkey_interface.py
+++ b/lib/ansible/modules/network/fortios/fortios_vpn_ipsec_manualkey_interface.py
@ -332,10 +332,10 @@ def main():
                "auth-alg": {"required": False, "type": "str",
                             "choices": ["null", "md5", "sha1",
                                         "sha256", "sha384", "sha512"]},
-                "auth-key": {"required": False, "type": "str"},
+                "auth-key": {"required": False, "type": "str", "no_log": True},
                "enc-alg": {"required": False, "type": "str",
                            "choices": ["null", "des"]},
-                "enc-key": {"required": False, "type": "str"},
+                "enc-key": {"required": False, "type": "str", "no_log": True},
                "interface": {"required": False, "type": "str"},
                "ip-version": {"required": False, "type": "str",
                               "choices": ["4", "6"]},
--- a/lib/ansible/modules/network/fortios/fortios_vpn_ipsec_phase1.py
+++ b/lib/ansible/modules/network/fortios/fortios_vpn_ipsec_phase1.py
@ -924,7 +924,7 @@ def main():
                               "choices": ["psk", "signature"]},
                "authmethod-remote": {"required": False, "type": "str",
                                      "choices": ["psk", "signature"]},
-                "authpasswd": {"required": False, "type": "str"},
+                "authpasswd": {"required": False, "type": "str", "no_log": True},
                "authusr": {"required": False, "type": "str"},
                "authusrgrp": {"required": False, "type": "str"},
                "auto-negotiate": {"required": False, "type": "str",
@ -977,7 +977,7 @@ def main():
                "fragmentation-mtu": {"required": False, "type": "int"},
                "group-authentication": {"required": False, "type": "str",
                                         "choices": ["enable", "disable"]},
-                "group-authentication-secret": {"required": False, "type": "password-3"},
+                "group-authentication-secret": {"required": False, "type": "password-3", "no_log": True},
                "ha-sync-esp-seqno": {"required": False, "type": "str",
                                      "choices": ["enable", "disable"]},
                "idle-timeout": {"required": False, "type": "str",
@ -1048,12 +1048,12 @@ def main():
                "ppk": {"required": False, "type": "str",
                        "choices": ["disable", "allow", "require"]},
                "ppk-identity": {"required": False, "type": "str"},
-                "ppk-secret": {"required": False, "type": "password-3"},
+                "ppk-secret": {"required": False, "type": "password-3", "no_log": True},
                "priority": {"required": False, "type": "int"},
                "proposal": {"required": False, "type": "str",
                             "choices": ["des-md5", "des-sha1", "des-sha256",
                                         "des-sha384", "des-sha512"]},
-                "psksecret": {"required": False, "type": "password-3"},
+                "psksecret": {"required": False, "type": "password-3", "no_log": True},
                "psksecret-remote": {"required": False, "type": "password-3"},
                "reauth": {"required": False, "type": "str",
                           "choices": ["disable", "enable"]},
--- a/lib/ansible/modules/network/fortios/fortios_vpn_ipsec_phase1_interface.py
+++ b/lib/ansible/modules/network/fortios/fortios_vpn_ipsec_phase1_interface.py
@ -1080,7 +1080,7 @@ def main():
                               "choices": ["psk", "signature"]},
                "authmethod-remote": {"required": False, "type": "str",
                                      "choices": ["psk", "signature"]},
-                "authpasswd": {"required": False, "type": "str"},
+                "authpasswd": {"required": False, "type": "str", "no_log": True},
                "authusr": {"required": False, "type": "str"},
                "authusrgrp": {"required": False, "type": "str"},
                "auto-discovery-forwarder": {"required": False, "type": "str",
@ -1153,7 +1153,7 @@ def main():
                "fragmentation-mtu": {"required": False, "type": "int"},
                "group-authentication": {"required": False, "type": "str",
                                         "choices": ["enable", "disable"]},
-                "group-authentication-secret": {"required": False, "type": "password-3"},
+                "group-authentication-secret": {"required": False, "type": "password-3", "no_log": True},
                "ha-sync-esp-seqno": {"required": False, "type": "str",
                                      "choices": ["enable", "disable"]},
                "idle-timeout": {"required": False, "type": "str",
@ -1240,12 +1240,12 @@ def main():
                "ppk": {"required": False, "type": "str",
                        "choices": ["disable", "allow", "require"]},
                "ppk-identity": {"required": False, "type": "str"},
-                "ppk-secret": {"required": False, "type": "password-3"},
+                "ppk-secret": {"required": False, "type": "password-3", "no_log": True},
                "priority": {"required": False, "type": "int"},
                "proposal": {"required": False, "type": "str",
                             "choices": ["des-md5", "des-sha1", "des-sha256",
                                         "des-sha384", "des-sha512"]},
-                "psksecret": {"required": False, "type": "password-3"},
+                "psksecret": {"required": False, "type": "password-3", "no_log": True},
                "psksecret-remote": {"required": False, "type": "password-3"},
                "reauth": {"required": False, "type": "str",
                           "choices": ["disable", "enable"]},
--- a/lib/ansible/modules/network/fortios/fortios_vpn_ssl_web_portal.py
+++ b/lib/ansible/modules/network/fortios/fortios_vpn_ssl_web_portal.py
@ -911,7 +911,7 @@ def main():
                                                         "host": {"required": False, "type": "str"},
                                                         "listening-port": {"required": False, "type": "int"},
                                                         "load-balancing-info": {"required": False, "type": "str"},
-                                                         "logon-password": {"required": False, "type": "str"},
+                                                         "logon-password": {"required": False, "type": "str", "no_log": True},
                                                         "logon-user": {"required": False, "type": "str"},
                                                         "name": {"required": True, "type": "str"},
                                                         "port": {"required": False, "type": "int"},
@ -935,7 +935,7 @@ def main():
                                                         "sso-credential-sent-once": {"required": False, "type": "str",
                                                                                      "choices": ["enable", "disable"]},
                                                         "sso-password": {"required": False, "type": "str"},
-                                                         "sso-username": {"required": False, "type": "str"},
+                                                         "sso-username": {"required": False, "type": "str", "no_log": True},
                                                         "url": {"required": False, "type": "str"}
                                                     }},
                                       "name": {"required": True, "type": "str"}
--- a/lib/ansible/modules/network/fortios/fortios_wireless_controller_vap.py
+++ b/lib/ansible/modules/network/fortios/fortios_wireless_controller_vap.py
@ -1074,9 +1074,9 @@ def main():
                                                      "netbios-ds", "ipv6", "all-other-mc",
                                                      "all-other-bc"]},
                "captive-portal-ac-name": {"required": False, "type": "str"},
-                "captive-portal-macauth-radius-secret": {"required": False, "type": "str"},
+                "captive-portal-macauth-radius-secret": {"required": False, "type": "str", "no_log": True},
                "captive-portal-macauth-radius-server": {"required": False, "type": "str"},
-                "captive-portal-radius-secret": {"required": False, "type": "str"},
+                "captive-portal-radius-secret": {"required": False, "type": "str", "no_log": True},
                "captive-portal-radius-server": {"required": False, "type": "str"},
                "captive-portal-session-timeout-interval": {"required": False, "type": "int"},
                "dhcp-lease-time": {"required": False, "type": "int"},
@ -1114,7 +1114,7 @@ def main():
                "intra-vap-privacy": {"required": False, "type": "str",
                                      "choices": ["enable", "disable"]},
                "ip": {"required": False, "type": "str"},
-                "key": {"required": False, "type": "str"},
+                "key": {"required": False, "type": "str", "no_log": True},
                "keyindex": {"required": False, "type": "int"},
                "ldpc": {"required": False, "type": "str",
                         "choices": ["disable", "rx", "tx",
@ -1155,7 +1155,7 @@ def main():
                                 "comment": {"required": False, "type": "str"},
                                 "concurrent-clients": {"required": False, "type": "str"},
                                 "key-name": {"required": True, "type": "str"},
-                                 "passphrase": {"required": False, "type": "str"}
+                                 "passphrase": {"required": False, "type": "str", "no_log": True}
                             }},
                "multicast-enhance": {"required": False, "type": "str",
                                      "choices": ["enable", "disable"]},
@ -1165,7 +1165,7 @@ def main():
                "name": {"required": True, "type": "str"},
                "okc": {"required": False, "type": "str",
                        "choices": ["disable", "enable"]},
-                "passphrase": {"required": False, "type": "str"},
+                "passphrase": {"required": False, "type": "str", "no_log": True},
                "pmf": {"required": False, "type": "str",
                        "choices": ["disable", "enable", "optional"]},
                "pmf-assoc-comeback-timeout": {"required": False, "type": "int"},
--- a/lib/ansible/modules/network/fortios/fortios_wireless_controller_wtp.py
+++ b/lib/ansible/modules/network/fortios/fortios_wireless_controller_wtp.py
@ -873,7 +873,7 @@ def main():
                "led-state": {"required": False, "type": "str",
                              "choices": ["enable", "disable"]},
                "location": {"required": False, "type": "str"},
-                "login-passwd": {"required": False, "type": "str"},
+                "login-passwd": {"required": False, "type": "str", "no_log": True},
                "login-passwd-change": {"required": False, "type": "str",
                                        "choices": ["yes", "default", "no"]},
                "mesh-bridge-enable": {"required": False, "type": "str",
--- a/lib/ansible/modules/network/fortios/fortios_wireless_controller_wtp_profile.py
+++ b/lib/ansible/modules/network/fortios/fortios_wireless_controller_wtp_profile.py
@ -1560,7 +1560,7 @@ def main():
                            "fortipresence-project": {"required": False, "type": "str"},
                            "fortipresence-rogue": {"required": False, "type": "str",
                                                    "choices": ["enable", "disable"]},
-                            "fortipresence-secret": {"required": False, "type": "str"},
+                            "fortipresence-secret": {"required": False, "type": "str", "no_log": True},
                            "fortipresence-server": {"required": False, "type": "str"},
                            "fortipresence-unassoc": {"required": False, "type": "str",
                                                      "choices": ["enable", "disable"]},
@ -1575,7 +1575,7 @@ def main():
                              "choices": ["enable", "disable"]},
                "lldp": {"required": False, "type": "str",
                         "choices": ["enable", "disable"]},
-                "login-passwd": {"required": False, "type": "str"},
+                "login-passwd": {"required": False, "type": "str", "no_log": True},
                "login-passwd-change": {"required": False, "type": "str",
                                        "choices": ["yes", "default", "no"]},
                "max-clients": {"required": False, "type": "int"},
--- a/lib/ansible/modules/network/ios/ios_ntp.py
+++ b/lib/ansible/modules/network/ios/ios_ntp.py
@ -38,7 +38,7 @@ options:
        default: False
    auth_key:
        description:
-            - md5 NTP authentication key of tye 7.
+            - md5 NTP authentication key of type 7.
    key_id:
        description:
            - auth_key id. Data type string
@ -272,7 +272,7 @@ def main():
        acl=dict(),
        logging=dict(type='bool', default=False),
        auth=dict(type='bool', default=False),
-        auth_key=dict(),
+        auth_key=dict(no_log=True),
        key_id=dict(),
        state=dict(choices=['absent', 'present'], default='present')
    )
--- a/lib/ansible/modules/network/netscaler/netscaler_lb_monitor.py
+++ b/lib/ansible/modules/network/netscaler/netscaler_lb_monitor.py
@ -982,8 +982,8 @@ def main():
        dispatcherip=dict(type='str'),
        dispatcherport=dict(type='int'),
        username=dict(type='str'),
-        password=dict(type='str'),
+        password=dict(type='str', no_log=True),
-        secondarypassword=dict(type='str'),
+        secondarypassword=dict(type='str', no_log=True),
        logonpointname=dict(type='str'),
        lasversion=dict(type='str'),
        radkey=dict(type='str', no_log=True),
--- a/lib/ansible/modules/network/nxos/nxos_aaa_server_host.py
+++ b/lib/ansible/modules/network/nxos/nxos_aaa_server_host.py
@ -246,7 +246,7 @@ def main():
    argument_spec = dict(
        server_type=dict(choices=['radius', 'tacacs'], required=True),
        address=dict(type='str', required=True),
-        key=dict(type='str'),
+        key=dict(type='str', no_log=True),
        encrypt_type=dict(type='str', choices=['0', '7']),
        host_timeout=dict(type='str'),
        auth_port=dict(type='str'),
--- a/lib/ansible/modules/notification/logentries_msg.py
+++ b/lib/ansible/modules/notification/logentries_msg.py
@ -73,7 +73,7 @@ def send_msg(module, token, msg, api, port):
 def main():
    module = AnsibleModule(
        argument_spec=dict(
-            token=dict(type='str', required=True),
+            token=dict(type='str', required=True, no_log=True),
            msg=dict(type='str', required=True),
            api=dict(type='str', default="data.logentries.com"),
            port=dict(type='int', default=80)),
--- a/lib/ansible/modules/storage/netapp/na_elementsw_cluster_snmp.py
+++ b/lib/ansible/modules/storage/netapp/na_elementsw_cluster_snmp.py
@ -177,8 +177,8 @@ class ElementSWClusterSnmp(object):
                options=dict(
                    access=dict(type='str', choices=['rouser', 'rwuser', 'rosys']),
                    name=dict(type='str', default=None),
-                    password=dict(type='str', default=None),
+                    password=dict(type='str', default=None, no_log=True),
-                    passphrase=dict(type='str', default=None),
+                    passphrase=dict(type='str', default=None, no_log=True),
                    secLevel=dict(type='str', choices=['auth', 'noauth', 'priv'])
                )
            ),
--- a/lib/ansible/modules/web_infrastructure/ansible_tower/tower_credential.py
+++ b/lib/ansible/modules/web_infrastructure/ansible_tower/tower_credential.py
@ -245,8 +245,8 @@ def main():
        authorize=dict(type='bool', default=False),
        authorize_password=dict(no_log=True),
        client=dict(),
-        security_token=dict(),
+        security_token=dict(no_log=True),
-        secret=dict(),
+        secret=dict(no_log=True),
        tenant=dict(),
        subscription=dict(),
        domain=dict(),
`@ -1,2 +1,2 @@`
	`security_fixes:`	`security_fixes:`
	- aws_secret - flag the ``secret`` parameter as containing sensitive data which shouldn't be logged (https://github.com/ansible-collections/community.aws/pull/471).	- aws_secret - flag the ``secret`` parameter as containing sensitive data which shouldn't be logged (https://github.com/ansible-collections/community.aws/pull/471) (CVE-2021-3447).