disable debug loggin

molecule/mask_passwords/verify.yml

@@ -55,7 +55,7 @@
     - name: Verify users and roles
       ansible.builtin.assert:
         that:
-          - "'\"otherencoded\"()' in user_roles.stdout"
+          - "'\"otherencoded\"(admin)' in user_roles.stdout"
           - "'\"other\"()' in user_roles.stdout"
           - "'\"amq\"(admin)' in user_roles.stdout"
         quiet: true
@@ -69,7 +69,7 @@
     - name: Verify users and roles with ldap account
       ansible.builtin.assert:
         that:
-          - "'\"otherencoded\"()' in user_roles.stdout"
+          - "'\"otherencoded\"(admin)' in user_roles.stdout"
           - "'\"other\"()' in user_roles.stdout"
           - "'\"amq\"(admin)' in user_roles.stdout"
         quiet: true

roles/activemq/tasks/mask_password.yml

@@ -8,36 +8,35 @@
     - name: Parse passwd for existing user salt
       ansible.builtin.set_fact:
         hash_password: "{{ item.password | middleware_automation.amq.pbkdf2_hmac(hashname=activemq_mask_password_hashname, iterations=activemq_mask_password_iterations, hexsalt=existing_user[0]) }}"
-      when:
-        - existing_user | length > 0
-      no_log: false
+      when: existing_user | length > 0
+      no_log: true
     - name: Get masked password for user
       ansible.builtin.command: "{{ activemq.instance_home }}/bin/artemis mask --hash {{ '--password-codec' if activemq_password_codec != 'org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec' else '' }} -- '{{ item.password }}'"
       become: true
       become_user: "{{ activemq_service_user }}"
       register: mask_pwd
       changed_when: false
-      no_log: false
-      when: (existing_user | length == 0 or hash_password != existing_user[1])
+      no_log: true
+      when: existing_user | length == 0 or hash_password != existing_user[1]
     - name: Add new masked password to users list
       ansible.builtin.set_fact:
         masked_users: "{{ masked_users | default([]) + [{ 'user': item.user, 'password': mask_pwd.stdout | regex_search('result: (.+)', '\\1', multiline=true) | first, 'roles': item.roles }] }}"
-      no_log: false
+      no_log: true
       when:
         - existing_user | length == 0 or hash_password != existing_user[1]
         - item.password is defined and item.password | length > 0
         - not item.password is regex('^ENC\\([0-9]{4,}:[^:]+:[^:]+\\)')
     - name: Add already masked password to users list
       ansible.builtin.set_fact:
-        masked_users: "{{ masked_users | default([]) + [{ 'user': item.user, 'password': item.password | regex_search('ENC\\((.+)\\)', '\\1', multiline=true), 'roles': item.roles }] }}"
-      no_log: false
+        masked_users: "{{ masked_users | default([]) + [{ 'user': item.user, 'password': item.password | regex_search('ENC\\((.+)\\)', '\\1', multiline=true) | first, 'roles': item.roles }] }}"
+      no_log: true
       when:
         - item.password is defined and item.password | length > 0
         - item.password is regex('^ENC\\([0-9]{4,}:[^:]+:[^:]+\\)')
     - name: Add existing user to users list
       ansible.builtin.set_fact:
         masked_users: "{{ masked_users | default([]) + [{ 'user': item.user, 'password': activemq_mask_password_iterations | string + ':' + existing_user[0] + ':' + existing_user[1], 'roles': item.roles }] }}"
-      no_log: false
+      no_log: true
       when:
         - existing_user | length > 0
         - hash_password == existing_user[1]