At my current shop we're trying to clean up the display of secrets in Ansible output. The standard recommendation, using "no_log" in the playbook, isn't good for our environment, as we have many playbooks that don't use it and would require a lot of manual review just to find all the spots that need to be edited.
So I looked for a more centralized solution, and found this Stack Overflow post
with a proof-of-concept using an stdout callback plugin that screened output for potential password fields. Inspired by that, I wrote up a callback plugin that filters stdout in two ways:
- JSON field names - if a field name in a module's output matches a pattern list (like /(password|secret)/ ), suppress printing of the field's contents
- Password pattern matching - if the contents of a field to be printed in output match a separate pattern list, suppress the output.
This has worked well for us so far, and I'd like to contribute these features back to the project if possible. I think the best way to do that would be to add the output filtering features to the community.general.diy callback, which already controls many output formatting customizations.
What do people think about this? Is this a feature worth bringing into Ansible, and if so, is my suggestion above the right way to do it? Thanks!