From de3c5561d84b575fcebbfe80ef66537907b8b24b Mon Sep 17 00:00:00 2001
From: Mark Chappell <mchappel@redhat.com>
Date: Sat, 3 Apr 2021 16:55:35 +0200
Subject: [PATCH] Partial backport of community.aws/471 - no_log=True for
 aws_secret (#73874)

---
 changelogs/fragments/471-no_log.yml            | 2 ++
 lib/ansible/modules/cloud/amazon/aws_secret.py | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/471-no_log.yml

diff --git a/changelogs/fragments/471-no_log.yml b/changelogs/fragments/471-no_log.yml
new file mode 100644
index 00000000000..14217c20f5b
--- /dev/null
+++ b/changelogs/fragments/471-no_log.yml
@@ -0,0 +1,2 @@
+security_fixes:
+- aws_secret - flag the ``secret`` parameter as containing sensitive data which shouldn't be logged (https://github.com/ansible-collections/community.aws/pull/471).
diff --git a/lib/ansible/modules/cloud/amazon/aws_secret.py b/lib/ansible/modules/cloud/amazon/aws_secret.py
index 41fda7db710..022226580fb 100644
--- a/lib/ansible/modules/cloud/amazon/aws_secret.py
+++ b/lib/ansible/modules/cloud/amazon/aws_secret.py
@@ -327,7 +327,7 @@ def main():
             'description': dict(default=""),
             'kms_key_id': dict(),
             'secret_type': dict(choices=['binary', 'string'], default="string"),
-            'secret': dict(default=""),
+            'secret': dict(default="", no_log=True),
             'tags': dict(type='dict', default={}),
             'rotation_lambda': dict(),
             'rotation_interval': dict(type='int', default=30),