From a05de55f30758c38775ecad6eb64af16bec0755f Mon Sep 17 00:00:00 2001
From: Andrew Klychkov <aklychko@redhat.com>
Date: Fri, 26 Mar 2021 10:02:52 +0100
Subject: [PATCH] [security] hcloud_certificate, hcloud_server: define no_log
 values for private_key and ssh_keys parameters (#70)

* hcloud_certificate, hcloud_server: define no_log values for private_key and ssh_keys parameters

* Add changelog fragment
---
 changelogs/fragments/70-no_log_security_fixes.yml | 2 ++
 plugins/modules/hcloud_certificate.py             | 2 +-
 plugins/modules/hcloud_server.py                  | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/fragments/70-no_log_security_fixes.yml

diff --git a/changelogs/fragments/70-no_log_security_fixes.yml b/changelogs/fragments/70-no_log_security_fixes.yml
new file mode 100644
index 0000000..0c187ab
--- /dev/null
+++ b/changelogs/fragments/70-no_log_security_fixes.yml
@@ -0,0 +1,2 @@
+security_fixes:
+- hcloud_certificate - mark the ``private_key`` parameter as ``no_log`` to prevent potential leaking of secret values (https://github.com/ansible-collections/hetzner.hcloud/pull/70).
diff --git a/plugins/modules/hcloud_certificate.py b/plugins/modules/hcloud_certificate.py
index 7c827ef..381a089 100644
--- a/plugins/modules/hcloud_certificate.py
+++ b/plugins/modules/hcloud_certificate.py
@@ -232,7 +232,7 @@ class AnsibleHcloudCertificate(Hcloud):
                 id={"type": "int"},
                 name={"type": "str"},
                 certificate={"type": "str"},
-                private_key={"type": "str"},
+                private_key={"type": "str", "no_log": True},
                 labels={"type": "dict"},
                 state={
                     "choices": ["absent", "present"],
diff --git a/plugins/modules/hcloud_server.py b/plugins/modules/hcloud_server.py
index f96c3d0..25e8445 100644
--- a/plugins/modules/hcloud_server.py
+++ b/plugins/modules/hcloud_server.py
@@ -563,7 +563,7 @@ class AnsibleHcloudServer(Hcloud):
                 location={"type": "str"},
                 datacenter={"type": "str"},
                 user_data={"type": "str"},
-                ssh_keys={"type": "list", "elements": "str"},
+                ssh_keys={"type": "list", "elements": "str", "no_log": False},
                 volumes={"type": "list", "elements": "str"},
                 firewalls={"type": "list", "elements": "str"},
                 labels={"type": "dict"},