ansible/infra-automation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df628983d1987c8a46d6e862455ea1d1531ad20f
infra-automation/roles/deploy_linux_vm/tasks/cloud-init.yml
ansible df628983d1 Add no_log security protection to cloud-init user-data tasks 
Security improvement to prevent sensitive cloud-init configuration
data from appearing in Ansible logs.

Changes:
- Add no_log: true to all cloud-init user-data template tasks
- Applies to Debian/Ubuntu user-data generation
- Applies to RHEL/CentOS/Rocky/Alma user-data generation
- Applies to SUSE/openSUSE user-data generation

Security rationale:
- Cloud-init user-data contains sensitive information:
  * SSH keys and authorized_keys configuration
  * User passwords (hashed but still sensitive)
  * System configuration details
  * Network configuration
- Following CLAUDE.md security guidelines
- Prevents accidental exposure in CI/CD logs
- Aligns with ansible-lint security best practices

Impact:
- No functional changes to role behavior
- Enhanced security posture
- Compliance with security-first principles

Related to: ROLE_ANALYSIS_AND_IMPROVEMENTS.md recommendation 2.2

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 01:35:19 +01:00

2.1 KiB
Raw Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink