Partial backport of community.aws/471 - no_log=True for aws_secret (#73873)

author: Mark Chappell <mchappel@redhat.com> 2021-04-03 18:22:39 +0200
committer: GitHub <noreply@github.com> 2021-04-03 11:22:39 -0500
commit: 8ed0c02e5c3c27dee7a3485de9d8c84171cf43d6 (patch)
tree: 2511b701f6f81b11f7fd6a5a9b26a87654892fa6
parent: 399b895095e4f9c72d8e045b8b68fa77edee3bc2 (diff)
download: ansible-8ed0c02e5c3c27dee7a3485de9d8c84171cf43d6.tar.gz
2 files changed, 3 insertions, 1 deletions
diff --git a/changelogs/fragments/471-no_log.yml b/changelogs/fragments/471-no_log.yml
new file mode 100644
index 0000000000..14217c20f5
--- /dev/null
+++ b/changelogs/fragments/471-no_log.yml
@@ -0,0 +1,2 @@
+security_fixes:
+- aws_secret - flag the ``secret`` parameter as containing sensitive data which shouldn't be logged (https://github.com/ansible-collections/community.aws/pull/471).
diff --git a/lib/ansible/modules/cloud/amazon/aws_secret.py b/lib/ansible/modules/cloud/amazon/aws_secret.py
index 41fda7db71..022226580f 100644
--- a/lib/ansible/modules/cloud/amazon/aws_secret.py
+++ b/lib/ansible/modules/cloud/amazon/aws_secret.py
@@ -327,7 +327,7 @@ def main():
             'description': dict(default=""),
             'kms_key_id': dict(),
             'secret_type': dict(choices=['binary', 'string'], default="string"),
-            'secret': dict(default=""),
+            'secret': dict(default="", no_log=True),
             'tags': dict(type='dict', default={}),
             'rotation_lambda': dict(),
             'rotation_interval': dict(type='int', default=30),
author	Mark Chappell <mchappel@redhat.com>	2021-04-03 18:22:39 +0200
committer	GitHub <noreply@github.com>	2021-04-03 11:22:39 -0500
commit	8ed0c02e5c3c27dee7a3485de9d8c84171cf43d6 (patch)
tree	2511b701f6f81b11f7fd6a5a9b26a87654892fa6
parent	399b895095e4f9c72d8e045b8b68fa77edee3bc2 (diff)
download	ansible-8ed0c02e5c3c27dee7a3485de9d8c84171cf43d6.tar.gz