Fix example in docs, and make sure to wipe result variable (#140)

* Fix example in docs, and make sure to wipe result variable. * Update plugins/modules/openssl_privatekey_pipe.py Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru> Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
2020-11-10 10:47:16 +01:00 · 2020-11-10 10:47:16 +01:00 · 68b45c2812
parent 77d652da9a
commit 68b45c2812
1 changed files with 17 additions and 11 deletions
--- a/plugins/modules/openssl_privatekey_pipe.py
+++ b/plugins/modules/openssl_privatekey_pipe.py
@ -59,17 +59,23 @@ EXAMPLES = r'''
    msg: "{{ output.privatekey }}"
  # DO NOT OUTPUT KEY MATERIAL TO CONSOLE OR LOGS IN PRODUCTION!

- name: Update sops-encrypted key with the community.sops collection
-  community.crypto.openssl_privatekey_pipe:
-    content: "{{ lookup('community.sops.sops', 'private_key.pem.sops') }}"
-    size: 2048
-  register: output
-  no_log: true  # make sure that private key data is not accidentally revealed in logs!
- name: Update encrypted key when openssl_privatekey_pipe reported a change
-  community.sops.encrypt_sops:
-    path: private_key.pem.sops
-    content_text: output.privatekey
-  when: output is changed
+- block:
+    - name: Update sops-encrypted key with the community.sops collection
+      community.crypto.openssl_privatekey_pipe:
+        content: "{{ lookup('community.sops.sops', 'private_key.pem.sops') }}"
+        size: 2048
+      register: output
+      no_log: true  # make sure that private key data is not accidentally revealed in logs!
+
+    - name: Update encrypted key when openssl_privatekey_pipe reported a change
+      community.sops.encrypt_sops:
+        path: private_key.pem.sops
+        content_text: "{{ output.privatekey }}"
+      when: output is changed
+  always:
+    - name: Make sure that output (which contains the private key) is overwritten
+      set_fact:
+        output: ''
 '''

 RETURN = r'''