win_powershell tasks with password should use no_log: true

[jborean93]

Checklist

• I have verified this is the correct repository for opening this issue.
• I have verified no other issues exist related to my problem.
• I have verified this is not an issue for a specific package.
• I have verified this issue is not security related.
• I confirm I am using official, and not unofficial, or modified, Chocolatey products.

What You Are Seeing?

Tasks that provide a password as a parameter should have no_log: true added to the task. Failing to do so means the password will be part of the module invocation and potentially embedded script output that tools like AWX always capture. These tasks should always have no_log: true set so that the output is not captured or displayed when run with a higher verbosity.

What is Expected?

The sensitive info is not shown.

How Did You Get This To Happen?

Ran the tasks, first one as an example

c4b-ansible/setup-nexus.yml

Lines 28 to 94 in 5c48718

	- name: Install Nexus Certificate
	when: certificate_copy.changed
	ansible.windows.win_powershell:
	parameters:
	NexusPort: "{{ nexus_port | default(8081) }}"
	CertificatePath: "{{ certificate_copy.dest }}"
	CertificatePassword: "{{ certificate_password }}"
	script: |
	param($NexusPort, $CertificatePath, $CertificatePassword)
	# Check that the certificate and password match
	try {
	$null = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new(
	$CertificatePath,
	$CertificatePassword,
	32 # EphemeralKeySet
	)
	} catch {
	$Ansible.Result = "Certificate and Password do not match"
	$Ansible.Failed = $true
	}
	# Generate the Keystore file
	$KeyStore = "C:\ProgramData\nexus\etc\ssl\keystore.jks"
	$KeyTool = "C:\ProgramData\nexus\jre\bin\keytool.exe"
	$XmlPath = 'C:\ProgramData\nexus\etc\jetty\jetty-https.xml'
	$Passkey = '{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters', 'digits'], length=32, seed=certificate_password+inventory_hostname) }}'
	if (Test-Path $KeyStore) {
	Remove-Item $KeyStore -Force
	}
	$CurrentAlias = ($($CertificatePassword | & $KeyTool -list -v -storetype PKCS12 -keystore $CertificatePath) -match "^Alias.*")[0].Split(':')[1].Trim()
	& $KeyTool -importkeystore -srckeystore $CertificatePath -srcstoretype PKCS12 -srcstorepass $CertificatePassword -destkeystore $KeyStore -deststoretype JKS -alias $currentAlias -destalias jetty -deststorepass $passkey
	& $KeyTool -keypasswd -keystore $KeyStore -alias jetty -storepass $passkey -keypass $CertificatePassword -new $passkey
	# Update the Jetty XML Configuration
	[xml]$Xml = Get-Content -Path $XmlPath
	$Xml.Configure.New.Where{
	$_.id -match 'ssl'
	}.Set.Where{
	$_.name -match 'password'
	}.ForEach{
	$_.InnerText = $passkey
	}
	$Xml.Save($XmlPath)
	# Update the Nexus Configuration
	$configPath = "C:\ProgramData\sonatype-work\nexus3\etc\nexus.properties"
	(Get-Content $configPath) | Where-Object {$_ -notmatch "application-port-ssl="} | Set-Content $configPath
	@(
	'jetty.https.stsMaxAge=-1'
	"application-port-ssl=$NexusPort"
	'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml'
	).ForEach{
	if ((Get-Content -Raw $configPath) -notmatch [regex]::Escape($_)) {
	$_ | Add-Content -Path $configPath
	}
	}
	if ((Get-Service nexus).Status -eq 'Running') {
	Restart-Service nexus
	} else {
	Start-Service nexus
	}

will expose CertificatePassword is a verbosity of -vvv or higher is specified. Running in AWX will always capture this output.

System Details

N/A

Installed Packages

N/A

Output Log

N/A

Additional Context

No response