This is something I'd be quite interested in as well. All of our private
data is stored via ansible-vault, but then it winds up being displayed in
plain text as the playbook executes. In a slightly contrived example, I've
got an encrypted users.yml file that has user passwords. In my playbook, I
pass the variable to the users module as "with_items: users", and wind up
seeing all of the passwords, exactly like Thom pasted above.
Certainly the argument can be made that since I knew the vault password, I
could go look up that information anyway, but I'm more concerned with
someone looking over my shoulder, or the output being some where I don't
control (Jenkins, for instance).
So nothing valuable to add to this discussion, only hoping to see what
others have done to work around this!
On Tue, Jun 10, 2014 at 7:46 AM, Nadir Lloret <nadir.llo...@gmail.com>
wrote:
> I was facing some similar problem.
> Mine is just that the dictionary being included in the output has too many
> values that it makes output messy and I would prefer just to include
> dict.key at the item=() output.
>
> It would be really nice to be able to decide if all the item or just a
> part of it is printed to the output.
>
> El jueves, 5 de junio de 2014 20:15:48 UTC+2, Thom Seddon escribió:
>
>>
>> When you use a loop in an ansible task, e.g. with_items or with_dict, a
>> dump of the item is included in the output. Sometimes these items contain
>> secure infomation which it is undesirable to have output on screen, for
>> example:
>>
>> ---
>> - name: Test
>> hosts: 127.0.0.1
>> vars:
>> dbs:
>> prod:
>> port: 3306
>> password: secret
>> dev:
>> port: 3307
>> password: notsosecret
>> tasks:
>> - command: echo {{ item.value.port }}
>> with_dict: dbs
>>
>>
>> outputs:
>>
>> [thom@ThomComp test]$ ansible-playbook ansible/test.yml
>>
>>
>> PLAY [Test] ************************************************************
>> *******
>>
>>
>> GATHERING FACTS ******************************
>> *********************************
>> ok: [127.0.0.1]
>>
>>
>> TASK: [command echo {{item.value.port}}] ******************************
>> ********
>> changed: [127.0.0.1] => (item={'value': {'password': 'secret', 'port':
>> 3306}, 'key': 'prod'})
>> changed: [127.0.0.1] => (item={'value': {'password': 'notsosecret',
>> 'port': 3307}, 'key': 'dev'})
>>
>>
>> PLAY RECAP ************************************************************
>> ********
>> 127.0.0.1 : ok=2 changed=1 unreachable=0 failed
>> =0
>>
>>
>> At best, I think there should be a way to choose what is output (in this
>> case I would choose the dict.key), at least I think there should be a way
>> to suppress this output.
>>
>> Opinions/ideas?
>>
>> Thanks
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/35cc2483-54d2-40db-99ef-172bd0b970d5%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/35cc2483-54d2-40db-99ef-172bd0b970d5%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAPcsqxnEn_wLyAsVHaEGtQuaHVb9i0X1qiczfCp1ob7h%2BSJnBA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
