Partial backport of community.aws/471 - no_log=True for aws_secret (#73874)

5 years ago · de3c5561d8
parent 4fb24327a3
commit de3c5561d8
2 changed files with 3 additions and 1 deletions
--- a/changelogs/fragments/471-no_log.yml
+++ b/changelogs/fragments/471-no_log.yml
@ -0,0 +1,2 @@
+security_fixes:
+- aws_secret - flag the ``secret`` parameter as containing sensitive data which shouldn't be logged (https://github.com/ansible-collections/community.aws/pull/471).
--- a/lib/ansible/modules/cloud/amazon/aws_secret.py
+++ b/lib/ansible/modules/cloud/amazon/aws_secret.py
@ -327,7 +327,7 @@ def main():
            'description': dict(default=""),
            'kms_key_id': dict(),
            'secret_type': dict(choices=['binary', 'string'], default="string"),
-            'secret': dict(default=""),
+            'secret': dict(default="", no_log=True),
            'tags': dict(type='dict', default={}),
            'rotation_lambda': dict(),
            'rotation_interval': dict(type='int', default=30),