community.zabbix icon indicating copy to clipboard operation
community.zabbix copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

Use no_log: true for setting zabbix_agent_macros in zabbix_agent role

Open derekpurdy opened this issue 2 years ago • 3 comments

SUMMARY

Use no_log: true for setting Macros in the api.yml task for zabbix agent role.

macro_type of secret was added with #620

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

roles/zabbix_agent/tasks/api.yml "API | Updating host configuration with macros"

ADDITIONAL INFORMATION

Due to sensitive information potentially being set with zabbix_agent_macros when macro_type is set to secret, I believe the "API | Updating host configuration with macros" should be modified to run with no_log: true.

- name: "API | Updating host configuration with macros"
  community.zabbix.zabbix_hostmacro:
    host_name: "{{ (zabbix_agent2 | bool) | ternary(zabbix_agent2_hostname, zabbix_agent_hostname) }}"
    macro_name: "{{ item.macro_key }}"
    macro_value: "{{ item.macro_value }}"
    macro_type: "{{ item.macro_type|default('text') }}"
  with_items: "{{ zabbix_agent_macros | default([]) }}"
  when:
    - zabbix_agent_macros is defined
    - item.macro_key is defined
  register: zabbix_api_hostmarcro_created
  until: zabbix_api_hostmarcro_created is succeeded
  delegate_to: "{{ zabbix_api_server_host }}"
  tags:
    - api

- name: "API | Updating host configuration with macros"
  community.zabbix.zabbix_hostmacro:
    host_name: "{{ (zabbix_agent2 | bool) | ternary(zabbix_agent2_hostname, zabbix_agent_hostname) }}"
    macro_name: "{{ item.macro_key }}"
    macro_value: "{{ item.macro_value }}"
    macro_type: "{{ item.macro_type|default('text') }}"
  with_items: "{{ zabbix_agent_macros | default([]) }}"
  when:
    - zabbix_agent_macros is defined
    - item.macro_key is defined
  register: zabbix_api_hostmarcro_created
  until: zabbix_api_hostmarcro_created is succeeded
  delegate_to: "{{ zabbix_api_server_host }}"
  tags:
    - api
  no_log: True

derekpurdy avatar Aug 10 '23 15:08 derekpurdy

@derekpurdy I'm curious, do you think data should be masked by the task or by the module? @BGmot, thoughts?

pyrodie18 avatar Aug 11 '23 03:08 pyrodie18

@derekpurdy I'm curious, do you think data should be masked by the task or by the module? @BGmot, thoughts?

Honestly I'm not sure.

I don't think it's possible but I think would be great for it to run no-log:true if it detects a secret macro type, but duplicating it just to add a when clause wouldn't be ideal.

derekpurdy avatar Aug 11 '23 03:08 derekpurdy

This might be possible on module level code, I'll take a look.

BGmot avatar Aug 12 '23 13:08 BGmot