feat: Parametrize no_log usage in trustee_server role

spetrosi · claude · richm · commit 4b656a2db4d1 · 2026-05-07T10:36:25.000-06:00
- Replace literal no_log: true with trustee_server_secure_logging variable
- Add no_log: "{{ ansible_verbosity &lt; 2 }}" to service_facts
- Add trustee_server_secure_logging: true to defaults/main.yml
- Document trustee_server_secure_logging variable in README.md

This change allows users to control logging of potentially sensitive
information by setting trustee_server_secure_logging: false for debugging,
while maintaining secure defaults.

For service_facts, the role now uses verbosity-based logging to hide
verbose output unless ansible_verbosity &gt;= 2.

Co-Authored-By: Claude Sonnet 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/README.md b/README.md
@@ -59,6 +59,22 @@ When enabled, the secret registration server:
 
 Clients can then fetch the key from Trustee CDH using attestation.
 
+## Variables
+
+### trustee_server_secure_logging
+
+If `true`, suppress potentially sensitive output from tasks that handle
+credentials, secrets, and other sensitive data by setting `no_log: true` on
+those tasks. This prevents passwords, API tokens, private keys, and similar
+sensitive information from appearing in Ansible logs and console output.
+
+If you need to debug issues with credential handling or secret management, you
+can temporarily set `trustee_server_secure_logging: false` to see the full output from
+these tasks. However, be aware that this may expose sensitive information in
+logs, so it should only be used in development or troubleshooting scenarios.
+
+Default: `true`
+
 ## License
 
 MIT
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -7,3 +7,4 @@ trustee_server_trustee: true
 # Secret registration server service configuration
 trustee_server_secret_registration_enabled: false
 trustee_server_secret_registration_listen_port: 8081
+trustee_server_secure_logging: true
diff --git a/tasks/secret_registration_server.yml b/tasks/secret_registration_server.yml
@@ -29,6 +29,7 @@
 
 - name: Gather service facts for firewall check
   ansible.builtin.service_facts:
+  no_log: "{{ ansible_verbosity < 2 }}"
 
 - name: Allow secret registration server port in firewall
   ansible.posix.firewalld:
diff --git a/tasks/trustee_quadlet.yml b/tasks/trustee_quadlet.yml
@@ -60,10 +60,11 @@
       cp {{ __trustee_server_config_dir }}/as/token.crt {{ __trustee_server_config_dir }}/kbs/trusted_certs/token0.crt
     fi
   changed_when: true
-  no_log: true
+  no_log: "{{ trustee_server_secure_logging }}"
 
 - name: Gather service facts
   ansible.builtin.service_facts:
+  no_log: "{{ ansible_verbosity < 2 }}"
 
 - name: Allow port 8080 in firewall
   ansible.posix.firewalld:
