automation - Ansible 'no_log' for specific values in debug output, not entire module

Question

I am studying for the RedHat Certified Specialist in Ansible Automation (EX407) and I'm playing around with the no_log module parameter. I have a sample playbook structured as so;

---
- hosts: webservers
  tasks:
  - name: Query vCenter
    vmware_guest:
      hostname: "{{ vcenter['host'] }}"
      username: "{{ vcenter['username'] }}"
      password: "{{ vcenter['password'] }}"
      name: "{{ inventory_hostname }}"
      validate_certs: no
    delegate_to: localhost
    no_log: yes
...

When no_log is disabled, I get a lot of helpful debug information about my VM, but when no_log is disabled I obviously can't protect my playbooks vaulted data (in this case that is the vcenter['username'] and vcenter['password'] values). Enabling no_log cripples my playbooks debug output to just;

"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result",

I would like to know how it is possible to censor only some of the debug output. I know this is possible because vcenter['password'] is protected in it's output regardless of my no_log state. I see this in the verbose output when no_log is disabled;

"invocation": {
        "module_args": {
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "username": "administrator@vsphere.local"
        }
}

What are your thoughts?

question from:https://stackoverflow.com/questions/65947327/ansible-no-log-for-specific-values-in-debug-output-not-entire-module

Answer 1

So I went digging through the VMWare module source code and this is what I found.

password=dict(type='str',
              aliases=['pass', 'pwd'],
              required=False,
              no_log=True,
              fallback=(env_fallback, ['VMWARE_PASSWORD'])),

Looks like Playbooks just aren't exposing this feature. The VMWare modules themselves are enabling no_log on specific attributes in Python. For my part, this is just another functionality Playbooks are hiding. I really wish it was standard to suppress specific attributes, rather than a whole module, but this is where it stands as of Ansible 2.10.