new file mode 100644

@@ -0,0 +1,45 @@

+security_fixes:

+  - _sf_account_manager - `initiator_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - _sf_account_manager - `target_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - ce_vrrp - `auth_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - docker_swarm - `signing_ca_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gcp_compute_backend_service - `oauth2_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gcp_compute_disk - `disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gcp_compute_disk - `source_image_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gcp_compute_disk - `source_snapshot_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gcp_compute_image - `image_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gcp_compute_image - `source_disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gcp_compute_instance_template - `disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gcp_compute_instance_template - `source_image_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gcp_compute_region_disk - `disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gcp_compute_region_disk - `source_snapshot_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gcp_compute_ssl_certificate - `private_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gcp_compute_vpn_tunnel - `shared_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gcp_sql_instance - `client_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - gitlab_runner - `registration_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - iap_start_workflow - `token_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - ibm_sa_host - `iscsi_chap_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - keycloak_client - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - keycloak_clienttemplate - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - keycloak_group - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - librato_annotation - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - na_elementsw_account - `initiator_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - na_elementsw_account - `target_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - netscaler_lb_monitor - `radkey` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - nios_nsgroup - `tsig_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - nxos_aaa_server - `global_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - nxos_pim_interface - `hello_auth_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - oneandone_firewall_policy - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - oneandone_load_balancer - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - oneandone_monitoring_policy - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - oneandone_private_network - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - oneandone_public_ip - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - ovirt - `instance_rootpw` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - pagerduty_alert - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - pagerduty_alert - `integration_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - pagerduty_alert - `service_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - pulp_repo - `feed_client_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - rax_clb_ssl - `private_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - spotinst_aws_elastigroup - `multai_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - spotinst_aws_elastigroup - `token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

+  - utm_proxy_auth_profile - `frontend_cookie_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

@@ -57,7 +57,7 @@ def keycloak_argument_spec():

         auth_keycloak_url=dict(type='str', aliases=['url'], required=True),

         auth_client_id=dict(type='str', default='admin-cli'),

         auth_realm=dict(type='str', required=True),

-        auth_client_secret=dict(type='str', default=None),

+        auth_client_secret=dict(type='str', default=None, no_log=True),

         auth_username=dict(type='str', aliases=['username'], required=True),

         auth_password=dict(type='str', aliases=['password'], required=True, no_log=True),

         validate_certs=dict(type='bool', default=True)

@@ -620,7 +620,7 @@ def main():

         name=dict(type='str'),

         labels=dict(type='dict'),

         signing_ca_cert=dict(type='str'),

-        signing_ca_key=dict(type='str'),

+        signing_ca_key=dict(type='str', no_log=True),

         ca_force_rotate=dict(type='int'),

         autolock_managers=dict(type='bool'),

         node_id=dict(type='str'),

@@ -686,7 +686,11 @@ def main():

             health_checks=dict(required=True, type='list', elements='str'),

             iap=dict(

                 type='dict',

-                options=dict(enabled=dict(type='bool'), oauth2_client_id=dict(required=True, type='str'), oauth2_client_secret=dict(required=True, type='str')),

+                options=dict(

+                    enabled=dict(type='bool'),

+                    oauth2_client_id=dict(required=True, type='str'),

+                    oauth2_client_secret=dict(required=True, type='str', no_log=True),

+                ),

             ),

             load_balancing_scheme=dict(default='EXTERNAL', type='str', choices=['INTERNAL', 'EXTERNAL']),

             name=dict(required=True, type='str'),

@@ -440,10 +440,10 @@ def main():

             type=dict(type='str'),

             source_image=dict(type='str'),

             zone=dict(required=True, type='str'),

-            source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),

-            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),

+            source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),

+            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),

             source_snapshot=dict(type='dict'),

-            source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),

+            source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),

         )

     )

@@ -444,7 +444,7 @@ def main():

             disk_size_gb=dict(type='int'),

             family=dict(type='str'),

             guest_os_features=dict(type='list', elements='dict', options=dict(type=dict(type='str', choices=['VIRTIO_SCSI_MULTIQUEUE']))),

-            image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),

+            image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),

             labels=dict(type='dict'),

             licenses=dict(type='list', elements='str'),

             name=dict(required=True, type='str'),

@@ -453,7 +453,7 @@ def main():

                 options=dict(container_type=dict(type='str', choices=['TAR']), sha1_checksum=dict(type='str'), source=dict(required=True, type='str')),

             ),

             source_disk=dict(type='dict'),

-            source_disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),

+            source_disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),

             source_disk_id=dict(type='str'),

             source_type=dict(type='str', choices=['RAW']),

         )

@@ -863,7 +863,13 @@ def main():

                             auto_delete=dict(type='bool'),

                             boot=dict(type='bool'),

                             device_name=dict(type='str'),

-                            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), rsa_encrypted_key=dict(type='str'))),

+                            disk_encryption_key=dict(

+                                type='dict',

+                                options=dict(

+                                    raw_key=dict(type='str', no_log=True),

+                                    rsa_encrypted_key=dict(type='str', no_log=True),

+                                ),

+                            ),

                             index=dict(type='int'),

                             initialize_params=dict(

                                 type='dict',

@@ -872,7 +878,7 @@ def main():

                                     disk_size_gb=dict(type='int'),

                                     disk_type=dict(type='str'),

                                     source_image=dict(type='str'),

-                                    source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),

+                                    source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),

                                 ),

                             ),

                             interface=dict(type='str', choices=['SCSI', 'NVME']),

@@ -354,9 +354,9 @@ def main():

             replica_zones=dict(required=True, type='list', elements='str'),

             type=dict(type='str'),

             region=dict(required=True, type='str'),

-            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),

+            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),

             source_snapshot=dict(type='dict'),

-            source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),

+            source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),

         )

     )

@@ -163,7 +163,7 @@ def main():

             certificate=dict(required=True, type='str'),

             description=dict(type='str'),

             name=dict(type='str'),

-            private_key=dict(required=True, type='str'),

+            private_key=dict(required=True, type='str', no_log=True),

         )

     )

@@ -269,7 +269,7 @@ def main():

             target_vpn_gateway=dict(required=True, type='dict'),

             router=dict(type='dict'),

             peer_ip=dict(required=True, type='str'),

-            shared_secret=dict(required=True, type='str'),

+            shared_secret=dict(required=True, type='str', no_log=True),

             ike_version=dict(default=2, type='int'),

             local_traffic_selector=dict(type='list', elements='str'),

             remote_traffic_selector=dict(type='list', elements='str'),

@@ -626,7 +626,7 @@ def main():

                         options=dict(

                             ca_certificate=dict(type='str'),

                             client_certificate=dict(type='str'),

-                            client_key=dict(type='str'),

+                            client_key=dict(type='str', no_log=True),

                             connect_retry_interval=dict(type='int'),

                             dump_file_path=dict(type='str'),

                             master_heartbeat_period=dict(type='int'),

@@ -380,7 +380,7 @@ def main():

             instance_gateway=dict(type='str', aliases=['gateway']),

             instance_domain=dict(type='str', aliases=['domain']),

             instance_dns=dict(type='str', aliases=['dns']),

-            instance_rootpw=dict(type='str', aliases=['rootpw']),

+            instance_rootpw=dict(type='str', aliases=['rootpw'], no_log=True),

             instance_key=dict(type='str', aliases=['key']),

             sdomain=dict(type='str'),

             region=dict(type='str'),

@@ -504,7 +504,8 @@ def main():

         argument_spec=dict(

             auth_token=dict(

                 type='str',

-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),

+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),

+                no_log=True),

             api_url=dict(

                 type='str',

                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -595,7 +595,8 @@ def main():

         argument_spec=dict(

             auth_token=dict(

                 type='str',

-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),

+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),

+                no_log=True),

             api_url=dict(

                 type='str',

                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -950,7 +950,8 @@ def main():

         argument_spec=dict(

             auth_token=dict(

                 type='str',

-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),

+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),

+                no_log=True),

             api_url=dict(

                 type='str',

                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -384,7 +384,8 @@ def main():

         argument_spec=dict(

             auth_token=dict(

                 type='str',

-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),

+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),

+                no_log=True),

             api_url=dict(

                 type='str',

                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -277,7 +277,8 @@ def main():

         argument_spec=dict(

             auth_token=dict(

                 type='str',

-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),

+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),

+                no_log=True),

             api_url=dict(

                 type='str',

                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -236,7 +236,7 @@ def main():

         loadbalancer=dict(required=True),

         state=dict(default='present', choices=['present', 'absent']),

         enabled=dict(type='bool', default=True),

-        private_key=dict(),

+        private_key=dict(no_log=True),

         certificate=dict(),

         intermediate_certificate=dict(),

         secure_port=dict(type='int', default=443),

@@ -1438,7 +1438,7 @@ def main():

         min_size=dict(type='int', required=True),

         monitoring=dict(type='str'),

         multai_load_balancers=dict(type='list'),

-        multai_token=dict(type='str'),

+        multai_token=dict(type='str', no_log=True),

         name=dict(type='str', required=True),

         network_interfaces=dict(type='list'),

         on_demand_count=dict(type='int'),

@@ -1462,7 +1462,7 @@ def main():

         target_group_arns=dict(type='list'),

         tenancy=dict(type='str'),

         terminate_at_end_of_billing_hour=dict(type='bool'),

-        token=dict(type='str'),

+        token=dict(type='str', no_log=True),

         unit=dict(type='str'),

         user_data=dict(type='str'),

         utilize_reserved_instances=dict(type='bool'),

@@ -146,7 +146,7 @@ def main():

     module = AnsibleModule(

         argument_spec=dict(

             user=dict(required=True),

-            api_key=dict(required=True),

+            api_key=dict(required=True, no_log=True),

             name=dict(required=False),

             title=dict(required=True),

             source=dict(required=False),

@@ -190,9 +190,9 @@ def main():

         argument_spec=dict(

             name=dict(required=False),

             service_id=dict(required=True),

-            service_key=dict(require=False),

-            integration_key=dict(require=False),

-            api_key=dict(required=True),

+            service_key=dict(required=False, no_log=True),

+            integration_key=dict(required=False, no_log=True),

+            api_key=dict(required=True, no_log=True),

             state=dict(required=True,

                        choices=['triggered', 'acknowledged', 'resolved']),

             client=dict(required=False, default=None),

@@ -305,7 +305,7 @@ def main():

         address=dict(required=True, ib_req=True),

         name=dict(required=True, ib_req=True),

         stealth=dict(type='bool', default=False),

-        tsig_key=dict(),

+        tsig_key=dict(no_log=True),

         tsig_key_alg=dict(choices=['HMAC-MD5', 'HMAC-SHA256'], default='HMAC-MD5'),

         tsig_key_name=dict(required=True)

     )

@@ -1316,7 +1316,7 @@ def main():

         holding_multiplier=dict(type='str'),

         auth_mode=dict(type='str', choices=['simple', 'md5', 'none']),

         is_plain=dict(type='bool', default=False),

-        auth_key=dict(type='str'),

+        auth_key=dict(type='str', no_log=True),

         fast_resume=dict(type='str', choices=['enable', 'disable']),

         state=dict(type='str', default='present',

                    choices=['present', 'absent'])

@@ -169,7 +169,7 @@ def main():

         argument_spec=dict(

             iap_port=dict(type='str', required=True),

             iap_fqdn=dict(type='str', required=True),

-            token_key=dict(type='str', required=True),

+            token_key=dict(type='str', required=True, no_log=True),

             workflow_name=dict(type='str', required=True),

             description=dict(type='str', required=True),

             variables=dict(type='dict', required=False),

@@ -986,7 +986,7 @@ def main():

         secondarypassword=dict(type='str'),

         logonpointname=dict(type='str'),

         lasversion=dict(type='str'),

-        radkey=dict(type='str'),

+        radkey=dict(type='str', no_log=True),

         radnasid=dict(type='str'),

         radnasip=dict(type='str'),

         radaccounttype=dict(type='float'),

@@ -234,7 +234,7 @@ def default_aaa_server(existing, params, server_type):

 def main():

     argument_spec = dict(

         server_type=dict(type='str', choices=['radius', 'tacacs'], required=True),

-        global_key=dict(type='str'),

+        global_key=dict(type='str', no_log=True),

         encrypt_type=dict(type='str', choices=['0', '7']),

         deadtime=dict(type='str'),

         server_timeout=dict(type='str'),

@@ -435,7 +435,7 @@ def main():

         interface=dict(type='str', required=True),

         sparse=dict(type='bool', default=False),

         dr_prio=dict(type='str'),

-        hello_auth_key=dict(type='str'),

+        hello_auth_key=dict(type='str', no_log=True),

         hello_interval=dict(type='int'),

         jp_policy_out=dict(type='str'),

         jp_policy_in=dict(type='str'),

@@ -293,7 +293,7 @@ def main():

     argument_spec = dict(

         user=dict(required=True, type='str'),

         group=dict(type='str'),

-        pwd=dict(type='str'),

+        pwd=dict(type='str', no_log=True),

         privacy=dict(type='str'),

         authentication=dict(choices=['md5', 'sha']),

         encrypt=dict(type='bool'),

@@ -330,7 +330,7 @@ def main():

         admin_state=dict(required=False, type='str',

                          choices=['shutdown', 'no shutdown', 'default'],

                          default='shutdown'),

-        authentication=dict(required=False, type='str'),

+        authentication=dict(required=False, type='str', no_log=True),

         state=dict(choices=['absent', 'present'], required=False, default='present')

     )

     argument_spec.update(nxos_argument_spec)

@@ -537,7 +537,7 @@ def main():

         generate_sqlite=dict(default=False, type='bool'),

         ca_cert=dict(aliases=['importer_ssl_ca_cert']),

         client_cert=dict(aliases=['importer_ssl_client_cert']),

-        client_key=dict(aliases=['importer_ssl_client_key']),

+        client_key=dict(aliases=['importer_ssl_client_key'], no_log=True),

         name=dict(required=True, aliases=['repo']),

         proxy_host=dict(),

         proxy_port=dict(),

@@ -304,7 +304,7 @@ def main():

         locked=dict(type='bool', default=False),

         access_level=dict(type='str', default='ref_protected', choices=["not_protected", "ref_protected"]),

         maximum_timeout=dict(type='int', default=3600),

-        registration_token=dict(type='str', required=True),

+        registration_token=dict(type='str', required=True, no_log=True),

         state=dict(type='str', default="present", choices=["absent", "present"]),

     ))

@@ -95,7 +95,7 @@ def main():

             cluster=dict(),

             domain=dict(),

             iscsi_chap_name=dict(),

-            iscsi_chap_secret=dict()

+            iscsi_chap_secret=dict(no_log=True)

         )

     )

@@ -120,8 +120,8 @@ class SolidFireAccount(object):

             account_id=dict(required=False, type='int', default=None),

             new_name=dict(required=False, type='str', default=None),

-            initiator_secret=dict(required=False, type='str'),

-            target_secret=dict(required=False, type='str'),

+            initiator_secret=dict(required=False, type='str', no_log=True),

+            target_secret=dict(required=False, type='str', no_log=True),

             attributes=dict(required=False, type='dict'),

             status=dict(required=False, type='str'),

         ))

@@ -142,8 +142,8 @@ class ElementSWAccount(object):

             state=dict(required=True, choices=['present', 'absent']),

             element_username=dict(required=True, aliases=["account_id"], type='str'),

             from_name=dict(required=False, default=None),

-            initiator_secret=dict(required=False, type='str'),

-            target_secret=dict(required=False, type='str'),

+            initiator_secret=dict(required=False, type='str', no_log=True),

+            target_secret=dict(required=False, type='str', no_log=True),

             attributes=dict(required=False, type='dict'),

             status=dict(required=False, type='str'),

         ))

@@ -319,7 +319,7 @@ def main():

             backend_user_suffix=dict(type='str', required=False, default=""),

             comment=dict(type='str', required=False, default=""),

             frontend_cookie=dict(type='str', required=False),

-            frontend_cookie_secret=dict(type='str', required=False),

+            frontend_cookie_secret=dict(type='str', required=False, no_log=True),

             frontend_form=dict(type='str', required=False),

             frontend_form_template=dict(type='str', required=False, default=""),

             frontend_login=dict(type='str', required=False),