search

ansible-collections / community.zabbix

Zabbix Ansible modules
http://galaxy.ansible.com/community/zabbix
Other
320 stars 276 forks source link

Use no_log: true for setting zabbix_agent_macros in zabbix_agent role #1061

Open derekpurdy opened 1 year ago

derekpurdy commented 1 year ago
SUMMARY

Use no_log: true for setting Macros in the api.yml task for zabbix agent role.

macro_type of secret was added with #620

ISSUE TYPE
COMPONENT NAME

roles/zabbix_agent/tasks/api.yml "API | Updating host configuration with macros"

ADDITIONAL INFORMATION

Due to sensitive information potentially being set with zabbix_agent_macros when macro_type is set to secret, I believe the "API | Updating host configuration with macros" should be modified to run with no_log: true.

- name: "API | Updating host configuration with macros"
  community.zabbix.zabbix_hostmacro:
    host_name: "{{ (zabbix_agent2 | bool) | ternary(zabbix_agent2_hostname, zabbix_agent_hostname) }}"
    macro_name: "{{ item.macro_key }}"
    macro_value: "{{ item.macro_value }}"
    macro_type: "{{ item.macro_type|default('text') }}"
  with_items: "{{ zabbix_agent_macros | default([]) }}"
  when:
    - zabbix_agent_macros is defined
    - item.macro_key is defined
  register: zabbix_api_hostmarcro_created
  until: zabbix_api_hostmarcro_created is succeeded
  delegate_to: "{{ zabbix_api_server_host }}"
  tags:
    - api
- name: "API | Updating host configuration with macros"
  community.zabbix.zabbix_hostmacro:
    host_name: "{{ (zabbix_agent2 | bool) | ternary(zabbix_agent2_hostname, zabbix_agent_hostname) }}"
    macro_name: "{{ item.macro_key }}"
    macro_value: "{{ item.macro_value }}"
    macro_type: "{{ item.macro_type|default('text') }}"
  with_items: "{{ zabbix_agent_macros | default([]) }}"
  when:
    - zabbix_agent_macros is defined
    - item.macro_key is defined
  register: zabbix_api_hostmarcro_created
  until: zabbix_api_hostmarcro_created is succeeded
  delegate_to: "{{ zabbix_api_server_host }}"
  tags:
    - api
  no_log: True
pyrodie18 commented 1 year ago

@derekpurdy I'm curious, do you think data should be masked by the task or by the module? @BGmot, thoughts?

derekpurdy commented 1 year ago

@derekpurdy I'm curious, do you think data should be masked by the task or by the module? @BGmot, thoughts?

Honestly I'm not sure.

I don't think it's possible but I think would be great for it to run no-log:true if it detects a secret macro type, but duplicating it just to add a when clause wouldn't be ideal.

BGmot commented 1 year ago

This might be possible on module level code, I'll take a look.