Use environment variables and output_loglevel values to ensure passwords are not displayed during state runs or in log files for relevant cmd.run states
This is not perfect as the rendered YAML for the state in debug logs will still show the password, but it hides it from the standard output.
Pillar / config required to test the proposed changes
None, existing tests will be fine
Debug log showing how the proposed changes work
Running state [mysql -u root -hlocalhost -p$SALT_PASS smp < /etc/mysql/smp.schema] at time 22:56:03.198010
Executing state cmd.run for [mysql -u root -hlocalhost -p$SALT_PASS db < /etc/mysql/db.schema]
{'pid': 12967, 'retcode': 0, 'stdout': '', 'stderr': ''}
Completed state [mysql -u root -hlocalhost -p$SALT_PASS db < /etc/mysql/db.schema] at time 22:56:03.238271 (duration_in_ms=40.26)
LazyLoaded mysql_user.present
ID: mysql_db_0_load
Function: cmd.run
Name: mysql -u root -hlocalhost -p$SALT_PASS db < /etc/mysql/db.schema
Result: True
Comment: Command "mysql -u root -hlocalhost -p$SALT_PASS db < /etc/mysql/db.schema" run
Started: 22:56:03.198011
Duration: 40.26 ms
Changes:
----------
pid:
12967
retcode:
0
stderr:
stdout:
Documentation checklist
[ ] Updated the README (e.g. Available states).
[ ] Updated pillar.example.
Testing checklist
[ ] Included in Kitchen (i.e. under state_top).
[x] Covered by new/existing tests (e.g. InSpec, Serverspec, etc.).
[ ] Updated the relevant test pillar.
Additional context
Have been running a production environment with these changes for over a year without issue.
PR progress checklist (to be filled in by reviewers)
What type of PR is this?
Primary type
[build]Changes related to the build system[chore]Changes to the build process or auxiliary tools and libraries such as documentation generation[ci]Changes to the continuous integration configuration[feat]A new feature[fix]A bug fix[perf]A code change that improves performance[refactor]A code change that neither fixes a bug nor adds a feature[revert]A change used to revert a previous commit[style]Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)Secondary type
[docs]Documentation changes[test]Adding missing or correcting existing testsDoes this PR introduce a
BREAKING CHANGE?No.
Related issues and/or pull requests
https://github.com/saltstack-formulas/mysql-formula/issues/258 https://github.com/saltstack-formulas/mysql-formula/issues/75
Describe the changes you're proposing
Use environment variables and output_loglevel values to ensure passwords are not displayed during state runs or in log files for relevant cmd.run states
This is not perfect as the rendered YAML for the state in debug logs will still show the password, but it hides it from the standard output.
Pillar / config required to test the proposed changes
None, existing tests will be fine
Debug log showing how the proposed changes work
Documentation checklist
README(e.g.Available states).pillar.example.Testing checklist
state_top).Additional context
Have been running a production environment with these changes for over a year without issue.