From 29b89089a109ba02f4f98b10ee686d0157e89999 Mon Sep 17 00:00:00 2001
From: George Shuklin <george.shuklin@gmail.com>
Date: Thu, 20 Feb 2025 20:52:33 +0200
Subject: [PATCH] security: hide content of the service account contents from
 the logs for GCE

When instance is waited for SSH, loop label contains all server data,
returned by the driver. One of them is service_account_contents
which contains a private key to  a GCE service account, used to create
VMs in GCE, if GCP_SERVICE_ACCOUNT_CONTENTS environment variable was
used.
---
 .../gce/playbooks/tasks/create_linux_instance.yml              | 3 +++
 test/gce/scenarios/linux/tasks/create_linux_instance.yml       | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/src/molecule_plugins/gce/playbooks/tasks/create_linux_instance.yml b/src/molecule_plugins/gce/playbooks/tasks/create_linux_instance.yml
index a5efeb33..f8b5bad3 100644
--- a/src/molecule_plugins/gce/playbooks/tasks/create_linux_instance.yml
+++ b/src/molecule_plugins/gce/playbooks/tasks/create_linux_instance.yml
@@ -56,12 +56,15 @@
     - "Dump instance config"
 
 - name: Wait for SSH
+  no_log: "{{ molecule_no_log }}" # GCE modules leaks GCP_SERVICE_ACCOUNT_CONTENTS value in returned values from module, which contains private key
   ansible.builtin.wait_for:
     port: 22
     host: "{{ item.networkInterfaces.0.accessConfigs.0.natIP if molecule_yml.driver.external_access else item.networkInterfaces.0.networkIP }}"
     search_regex: SSH
     delay: 10
   loop: "{{ server.results }}"
+  loop_control:
+    label: "{{ item.name }}"
   register: waitfor
   until: waitfor.failed == false
   retries: 6
diff --git a/test/gce/scenarios/linux/tasks/create_linux_instance.yml b/test/gce/scenarios/linux/tasks/create_linux_instance.yml
index 3c781c45..72bc7655 100644
--- a/test/gce/scenarios/linux/tasks/create_linux_instance.yml
+++ b/test/gce/scenarios/linux/tasks/create_linux_instance.yml
@@ -50,9 +50,11 @@
     - Dump instance config
 
 - name: Wait for SSH
+  no_log: "{{ molecule_no_log }}"
   ansible.builtin.wait_for:
     port: 22
     host: "{{ item.networkInterfaces.0.accessConfigs.0.natIP if molecule_yml.driver.external_access else item.networkInterfaces.0.networkIP }}"
     search_regex: SSH
     delay: 10
   loop: "{{ server.results }}"
+