security: hide content of the service account contents from the logs …

…for GCE When instance is waited for SSH, loop label contains all server data, returned by the driver. One of them is service_account_contents which contains a private key to a GCE service account, used to create VMs in GCE, if GCP_SERVICE_ACCOUNT_CONTENTS environment variable was used.
ansible-community · Feb 22, 2025 · 29b8908 · 29b8908
1 parent 980db38
commit 29b8908
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/src/molecule_plugins/gce/playbooks/tasks/create_linux_instance.yml b/src/molecule_plugins/gce/playbooks/tasks/create_linux_instance.yml
@@ -56,12 +56,15 @@
     - "Dump instance config"
 
 - name: Wait for SSH
+  no_log: "{{ molecule_no_log }}" # GCE modules leaks GCP_SERVICE_ACCOUNT_CONTENTS value in returned values from module, which contains private key
   ansible.builtin.wait_for:
     port: 22
     host: "{{ item.networkInterfaces.0.accessConfigs.0.natIP if molecule_yml.driver.external_access else item.networkInterfaces.0.networkIP }}"
     search_regex: SSH
     delay: 10
   loop: "{{ server.results }}"
+  loop_control:
+    label: "{{ item.name }}"
   register: waitfor
   until: waitfor.failed == false
   retries: 6

diff --git a/test/gce/scenarios/linux/tasks/create_linux_instance.yml b/test/gce/scenarios/linux/tasks/create_linux_instance.yml
@@ -50,9 +50,11 @@
     - Dump instance config
 
 - name: Wait for SSH
+  no_log: "{{ molecule_no_log }}"
   ansible.builtin.wait_for:
     port: 22
     host: "{{ item.networkInterfaces.0.accessConfigs.0.natIP if molecule_yml.driver.external_access else item.networkInterfaces.0.networkIP }}"
     search_regex: SSH
     delay: 10
   loop: "{{ server.results }}"
+