[security] hcloud_certificate, hcloud_server: define no_log values for private_key and ssh_keys parameters (#70)

* hcloud_certificate, hcloud_server: define no_log values for private_key and ssh_keys parameters * Add changelog fragment
2026-02-04 08:01:49 +00:00 · 2021-03-26 10:02:52 +01:00 · 2021-03-26 10:02:52 +01:00 · a05de55f30
commit a05de55f30
parent 9f653cb030
3 changed files with 4 additions and 2 deletions
--- a/changelogs/fragments/70-no_log_security_fixes.yml
+++ b/changelogs/fragments/70-no_log_security_fixes.yml
@ -0,0 +1,2 @@
+security_fixes:
+- hcloud_certificate - mark the ``private_key`` parameter as ``no_log`` to prevent potential leaking of secret values (https://github.com/ansible-collections/hetzner.hcloud/pull/70).
--- a/plugins/modules/hcloud_certificate.py
+++ b/plugins/modules/hcloud_certificate.py
@ -232,7 +232,7 @@ class AnsibleHcloudCertificate(Hcloud):
                id={"type": "int"},
                name={"type": "str"},
                certificate={"type": "str"},
-                private_key={"type": "str"},
+                private_key={"type": "str", "no_log": True},
                labels={"type": "dict"},
                state={
                    "choices": ["absent", "present"],
--- a/plugins/modules/hcloud_server.py
+++ b/plugins/modules/hcloud_server.py
@ -563,7 +563,7 @@ class AnsibleHcloudServer(Hcloud):
                location={"type": "str"},
                datacenter={"type": "str"},
                user_data={"type": "str"},
-                ssh_keys={"type": "list", "elements": "str"},
+                ssh_keys={"type": "list", "elements": "str", "no_log": False},
                volumes={"type": "list", "elements": "str"},
                firewalls={"type": "list", "elements": "str"},
                labels={"type": "dict"},