ansible
df628983d1
Security improvement to prevent sensitive cloud-init configuration data from appearing in Ansible logs. Changes: - Add no_log: true to all cloud-init user-data template tasks - Applies to Debian/Ubuntu user-data generation - Applies to RHEL/CentOS/Rocky/Alma user-data generation - Applies to SUSE/openSUSE user-data generation Security rationale: - Cloud-init user-data contains sensitive information: * SSH keys and authorized_keys configuration * User passwords (hashed but still sensitive) * System configuration details * Network configuration - Following CLAUDE.md security guidelines - Prevents accidental exposure in CI/CD logs - Aligns with ansible-lint security best practices Impact: - No functional changes to role behavior - Enhanced security posture - Compliance with security-first principles Related to: ROLE_ANALYSIS_AND_IMPROVEMENTS.md recommendation 2.2 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
74 lines
2.1 KiB
YAML
74 lines
2.1 KiB
YAML
---
|
|
# =============================================================================
|
|
# Cloud-Init Tasks - Generate Cloud-Init Configuration
|
|
# =============================================================================
|
|
|
|
- name: Create cloud-init directory
|
|
file:
|
|
path: /tmp/cloud-init-{{ deploy_linux_vm_name }}
|
|
state: directory
|
|
mode: '0755'
|
|
tags: [cloud-init]
|
|
|
|
- name: Create cloud-init meta-data
|
|
template:
|
|
src: meta-data.j2
|
|
dest: /tmp/cloud-init-{{ deploy_linux_vm_name }}/meta-data
|
|
mode: '0644'
|
|
tags: [cloud-init]
|
|
|
|
- name: Create cloud-init user-data for Debian/Ubuntu
|
|
template:
|
|
src: user-data-debian.j2
|
|
dest: /tmp/cloud-init-{{ deploy_linux_vm_name }}/user-data
|
|
mode: '0644'
|
|
when: deploy_linux_vm_distro_config.family == "debian"
|
|
no_log: true
|
|
tags: [cloud-init]
|
|
|
|
- name: Create cloud-init user-data for RHEL/CentOS/Rocky/Alma
|
|
template:
|
|
src: user-data-rhel.j2
|
|
dest: /tmp/cloud-init-{{ deploy_linux_vm_name }}/user-data
|
|
mode: '0644'
|
|
when: deploy_linux_vm_distro_config.family == "rhel"
|
|
no_log: true
|
|
tags: [cloud-init]
|
|
|
|
- name: Create cloud-init user-data for SUSE/openSUSE
|
|
template:
|
|
src: user-data-suse.j2
|
|
dest: /tmp/cloud-init-{{ deploy_linux_vm_name }}/user-data
|
|
mode: '0644'
|
|
when: deploy_linux_vm_distro_config.family == "suse"
|
|
no_log: true
|
|
tags: [cloud-init]
|
|
|
|
- name: Create cloud-init ISO
|
|
command: >
|
|
genisoimage -output {{ deploy_linux_vm_cloud_init_iso_path }}
|
|
-volid cidata -joliet -rock
|
|
/tmp/cloud-init-{{ deploy_linux_vm_name }}/user-data
|
|
/tmp/cloud-init-{{ deploy_linux_vm_name }}/meta-data
|
|
args:
|
|
creates: "{{ deploy_linux_vm_cloud_init_iso_path }}"
|
|
tags: [cloud-init]
|
|
|
|
- name: Set proper permissions on cloud-init ISO (Debian/Ubuntu)
|
|
file:
|
|
path: "{{ deploy_linux_vm_cloud_init_iso_path }}"
|
|
owner: libvirt-qemu
|
|
group: kvm
|
|
mode: '0644'
|
|
when: ansible_os_family == "Debian"
|
|
tags: [cloud-init]
|
|
|
|
- name: Set proper permissions on cloud-init ISO (RHEL)
|
|
file:
|
|
path: "{{ deploy_linux_vm_cloud_init_iso_path }}"
|
|
owner: qemu
|
|
group: qemu
|
|
mode: '0644'
|
|
when: ansible_os_family == "RedHat"
|
|
tags: [cloud-init]
|