From df628983d1987c8a46d6e862455ea1d1531ad20f Mon Sep 17 00:00:00 2001
From: ansible <ansible@mymx.me>
Date: Tue, 11 Nov 2025 01:35:19 +0100
Subject: [PATCH] Add no_log security protection to cloud-init user-data tasks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Security improvement to prevent sensitive cloud-init configuration
data from appearing in Ansible logs.

Changes:
- Add no_log: true to all cloud-init user-data template tasks
- Applies to Debian/Ubuntu user-data generation
- Applies to RHEL/CentOS/Rocky/Alma user-data generation
- Applies to SUSE/openSUSE user-data generation

Security rationale:
- Cloud-init user-data contains sensitive information:
  * SSH keys and authorized_keys configuration
  * User passwords (hashed but still sensitive)
  * System configuration details
  * Network configuration
- Following CLAUDE.md security guidelines
- Prevents accidental exposure in CI/CD logs
- Aligns with ansible-lint security best practices

Impact:
- No functional changes to role behavior
- Enhanced security posture
- Compliance with security-first principles

Related to: ROLE_ANALYSIS_AND_IMPROVEMENTS.md recommendation 2.2

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 roles/deploy_linux_vm/tasks/cloud-init.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/deploy_linux_vm/tasks/cloud-init.yml b/roles/deploy_linux_vm/tasks/cloud-init.yml
index ff31471..d9248c2 100644
--- a/roles/deploy_linux_vm/tasks/cloud-init.yml
+++ b/roles/deploy_linux_vm/tasks/cloud-init.yml
@@ -23,6 +23,7 @@
     dest: /tmp/cloud-init-{{ deploy_linux_vm_name }}/user-data
     mode: '0644'
   when: deploy_linux_vm_distro_config.family == "debian"
+  no_log: true
   tags: [cloud-init]
 
 - name: Create cloud-init user-data for RHEL/CentOS/Rocky/Alma
@@ -31,6 +32,7 @@
     dest: /tmp/cloud-init-{{ deploy_linux_vm_name }}/user-data
     mode: '0644'
   when: deploy_linux_vm_distro_config.family == "rhel"
+  no_log: true
   tags: [cloud-init]
 
 - name: Create cloud-init user-data for SUSE/openSUSE
@@ -39,6 +41,7 @@
     dest: /tmp/cloud-init-{{ deploy_linux_vm_name }}/user-data
     mode: '0644'
   when: deploy_linux_vm_distro_config.family == "suse"
+  no_log: true
   tags: [cloud-init]
 
 - name: Create cloud-init ISO