With sqlcmd, set password with env variable instead of -P for security (

#153)
linux-system-roles · Dec 15, 2022 · 58501bd · 58501bd
1 parent bf947c1
commit 58501bd
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 11 deletions.
diff --git a/tasks/input_sql_files.yml b/tasks/input_sql_files.yml
@@ -31,8 +31,6 @@
 
 - name: Prepare MSSQL and facts for logging in
   include_tasks: verify_password.yml
-  vars:
-    __mssql_password: "{{ mssql_password }}"
   when: >-
     (__mssql_sqlcmd_login_cmd is none) or
     (__mssql_sqlcmd_login_cmd is not defined)

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -285,15 +285,14 @@
   block:
     - name: Prepare MSSQL and facts for logging in
       include_tasks: verify_password.yml
-      vars:
-        __mssql_password: "{{ mssql_password }}"
 
     - name: Check if the set password matches the existing password
       command: "{{ __mssql_sqlcmd_login_cmd }} -Q 'SELECT @@VERSION'"
+      environment:
+        - SQLCMDPASSWORD: "{{ mssql_password }}"
       ignore_errors: true
       changed_when: false
       register: __mssql_password_query
-      no_log: true
 
     - name: Ensure that the mssql-server service is stopped
       service:

diff --git a/tasks/sqlcmd_input_file.yml b/tasks/sqlcmd_input_file.yml
@@ -27,9 +27,10 @@
     - name: Input {{ item }} with the sqlcmd command
       command: >-
         {{ __mssql_sqlcmd_login_cmd }} -i {{ __mssql_sql_tempfile.path }} -b
+      environment:
+        - SQLCMDPASSWORD: "{{ mssql_password }}"
       register: __mssql_sqlcmd_input
       changed_when: '"successfully" in __mssql_sqlcmd_input.stdout'
-      no_log: true
   always:
     # Role prints the output if the input succeeds, otherwise Ansible prints the
     # output from the failed input tasks

diff --git a/tasks/verify_password.yml b/tasks/verify_password.yml
@@ -17,7 +17,7 @@
   changed_when: false
   register: __mssql_custom_ip_address
 
-- name: Set a fact with a password query
+- name: Set a fact with a login command
   vars:
     __ipaddress: >-
       {{ __mssql_custom_ip_address.stdout |
@@ -34,5 +34,4 @@
       {{ __s_arg }}
       {{ __ipaddress_arg }}{{ ',' if __tcpport
       else '' }}{{ __tcpport if __tcpport else '' }}
-      -U sa -P {{ __mssql_password | quote }}
-  no_log: true
+      -U sa
diff --git a/tests/tasks/verify_settings.yml b/tests/tasks/verify_settings.yml
@@ -59,8 +59,6 @@
         name: linux-system-roles.mssql
         tasks_from: verify_password
         public: true
-      vars:
-        __mssql_password: "{{ __verify_mssql_password }}"
 
     - name: Wait for mssql-server to start and prepare for client connections
       wait_for:
@@ -71,6 +69,8 @@
 
     - name: Check if the set password matches the existing password
       command: "{{ __mssql_sqlcmd_login_cmd }} -Q 'SELECT @@VERSION'"
+      environment:
+        - SQLCMDPASSWORD: "{{ __verify_mssql_password }}"
       ignore_errors: true
       changed_when: false
       register: __mssql_password_query