CVE-2021-20191

@@ -0,0 +1,57 @@
+security_fixes:
+  - _sf_account_manager - `initiator_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - _sf_account_manager - `target_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - aws_netapp_cvs_active_directory - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - aws_netapp_cvs_active_directory - `secret_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - aws_netapp_cvs_filesystems - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - aws_netapp_cvs_filesystems - `secret_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - aws_netapp_cvs_pool - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - aws_netapp_cvs_pool - `secret_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - aws_netapp_cvs_snapshots - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - aws_netapp_cvs_snapshots - `secret_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - ce_vrrp - `auth_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - cp_mgmt_vpn_community_meshed - `shared_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - cp_mgmt_vpn_community_star - `shared_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - docker_swarm - `signing_ca_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_backend_service - `oauth2_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_disk - `disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_disk - `source_image_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_disk - `source_snapshot_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_image - `image_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_image - `source_disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_instance_template - `disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_instance_template - `source_image_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_region_disk - `disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_region_disk - `source_snapshot_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_snapshot - `snapshot_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_snapshot - `source_disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_ssl_certificate - `private_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_vpn_tunnel - `shared_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_sql_instance - `client_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gitlab_runner - `registration_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - iap_start_workflow - `token_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - ibm_sa_host - `iscsi_chap_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - keycloak_client - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - keycloak_clienttemplate - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - keycloak_group - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - librato_annotation - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - na_elementsw_account - `initiator_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - na_elementsw_account - `target_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - netscaler_lb_monitor - `radkey` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - nios_nsgroup - `tsig_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - nxos_aaa_server - `global_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - nxos_pim_interface - `hello_auth_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - oneandone_firewall_policy - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - oneandone_load_balancer - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - oneandone_monitoring_policy - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - oneandone_private_network - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - oneandone_public_ip - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - ovirt - `instance_rootpw` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - pagerduty_alert - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - pagerduty_alert - `integration_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - pagerduty_alert - `service_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - pulp_repo - `feed_client_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - rax_clb_ssl - `private_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - spotinst_aws_elastigroup - `multai_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - spotinst_aws_elastigroup - `token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - utm_proxy_auth_profile - `frontend_cookie_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

@@ -622,7 +622,7 @@ def main():
         name=dict(type='str'),
         labels=dict(type='dict'),
         signing_ca_cert=dict(type='str'),
-        signing_ca_key=dict(type='str'),
+        signing_ca_key=dict(type='str', no_log=True),
         ca_force_rotate=dict(type='int'),
         autolock_managers=dict(type='bool'),
         node_id=dict(type='str'),

@@ -732,7 +732,11 @@ def main():
             health_checks=dict(required=True, type='list', elements='str'),
             iap=dict(
                 type='dict',
-                options=dict(enabled=dict(type='bool'), oauth2_client_id=dict(required=True, type='str'), oauth2_client_secret=dict(required=True, type='str')),
+                options=dict(
+                    enabled=dict(type='bool'),
+                    oauth2_client_id=dict(required=True, type='str'),
+                    oauth2_client_secret=dict(required=True, type='str', no_log=True),
+                ),
             ),
             load_balancing_scheme=dict(default='EXTERNAL', type='str'),
             name=dict(required=True, type='str'),

@@ -460,10 +460,10 @@ def main():
             type=dict(type='str'),
             source_image=dict(type='str'),
             zone=dict(required=True, type='str'),
-            source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),
-            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),
+            source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),
+            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),
             source_snapshot=dict(type='dict'),
-            source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),
+            source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),
         )
     )
 

@@ -461,13 +461,13 @@ def main():
             disk_size_gb=dict(type='int'),
             family=dict(type='str'),
             guest_os_features=dict(type='list', elements='dict', options=dict(type=dict(type='str'))),
-            image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
+            image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
             labels=dict(type='dict'),
             licenses=dict(type='list', elements='str'),
             name=dict(required=True, type='str'),
             raw_disk=dict(type='dict', options=dict(container_type=dict(type='str'), sha1_checksum=dict(type='str'), source=dict(required=True, type='str'))),
             source_disk=dict(type='dict'),
-            source_disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
+            source_disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
             source_disk_id=dict(type='str'),
             source_type=dict(type='str'),
         )

@@ -914,7 +914,13 @@ def main():
                             auto_delete=dict(type='bool'),
                             boot=dict(type='bool'),
                             device_name=dict(type='str'),
-                            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), rsa_encrypted_key=dict(type='str'))),
+                            disk_encryption_key=dict(
+                                type='dict',
+                                options=dict(
+                                    raw_key=dict(type='str', no_log=True),
+                                    rsa_encrypted_key=dict(type='str', no_log=True),
+                                ),
+                            ),
                             index=dict(type='int'),
                             initialize_params=dict(
                                 type='dict',
@@ -923,7 +929,7 @@ def main():
                                     disk_size_gb=dict(type='int'),
                                     disk_type=dict(type='str'),
                                     source_image=dict(type='str'),
-                                    source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
+                                    source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
                                 ),
                             ),
                             interface=dict(type='str'),

@@ -369,9 +369,9 @@ def main():
             replica_zones=dict(required=True, type='list', elements='str'),
             type=dict(type='str'),
             region=dict(required=True, type='str'),
-            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
+            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
             source_snapshot=dict(type='dict'),
-            source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
+            source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
         )
     )
 

@@ -291,8 +291,8 @@ def main():
             labels=dict(type='dict'),
             source_disk=dict(required=True, type='dict'),
             zone=dict(type='str'),
-            snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),
-            source_disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),
+            snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),
+            source_disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),
         )
     )
 

@@ -180,7 +180,7 @@ def main():
             certificate=dict(required=True, type='str'),
             description=dict(type='str'),
             name=dict(type='str'),
-            private_key=dict(required=True, type='str'),
+            private_key=dict(required=True, type='str', no_log=True),
         )
     )
 

@@ -280,7 +280,7 @@ def main():
             target_vpn_gateway=dict(type='dict'),
             router=dict(type='dict'),
             peer_ip=dict(type='str'),
-            shared_secret=dict(required=True, type='str'),
+            shared_secret=dict(required=True, type='str', no_log=True),
             ike_version=dict(default=2, type='int'),
             local_traffic_selector=dict(type='list', elements='str'),
             remote_traffic_selector=dict(type='list', elements='str'),

@@ -688,7 +688,7 @@ def main():
                         options=dict(
                             ca_certificate=dict(type='str'),
                             client_certificate=dict(type='str'),
-                            client_key=dict(type='str'),
+                            client_key=dict(type='str', no_log=True),
                             connect_retry_interval=dict(type='int'),
                             dump_file_path=dict(type='str'),
                             master_heartbeat_period=dict(type='int'),

@@ -380,7 +380,7 @@ def main():
             instance_gateway=dict(type='str', aliases=['gateway']),
             instance_domain=dict(type='str', aliases=['domain']),
             instance_dns=dict(type='str', aliases=['dns']),
-            instance_rootpw=dict(type='str', aliases=['rootpw']),
+            instance_rootpw=dict(type='str', aliases=['rootpw'], no_log=True),
             instance_key=dict(type='str', aliases=['key']),
             sdomain=dict(type='str'),
             region=dict(type='str'),

@@ -504,7 +504,8 @@ def main():
         argument_spec=dict(
             auth_token=dict(
                 type='str',
-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
+                no_log=True),
             api_url=dict(
                 type='str',
                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -595,7 +595,8 @@ def main():
         argument_spec=dict(
             auth_token=dict(
                 type='str',
-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
+                no_log=True),
             api_url=dict(
                 type='str',
                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -950,7 +950,8 @@ def main():
         argument_spec=dict(
             auth_token=dict(
                 type='str',
-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
+                no_log=True),
             api_url=dict(
                 type='str',
                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -384,7 +384,8 @@ def main():
         argument_spec=dict(
             auth_token=dict(
                 type='str',
-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
+                no_log=True),
             api_url=dict(
                 type='str',
                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -277,7 +277,8 @@ def main():
         argument_spec=dict(
             auth_token=dict(
                 type='str',
-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
+                no_log=True),
             api_url=dict(
                 type='str',
                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -236,7 +236,7 @@ def main():
         loadbalancer=dict(required=True),
         state=dict(default='present', choices=['present', 'absent']),
         enabled=dict(type='bool', default=True),
-        private_key=dict(),
+        private_key=dict(no_log=True),
         certificate=dict(),
         intermediate_certificate=dict(),
         secure_port=dict(type='int', default=443),

@@ -1438,7 +1438,7 @@ def main():
         min_size=dict(type='int', required=True),
         monitoring=dict(type='str'),
         multai_load_balancers=dict(type='list'),
-        multai_token=dict(type='str'),
+        multai_token=dict(type='str', no_log=True),
         name=dict(type='str', required=True),
         network_interfaces=dict(type='list'),
         on_demand_count=dict(type='int'),
@@ -1462,7 +1462,7 @@ def main():
         target_group_arns=dict(type='list'),
         tenancy=dict(type='str'),
         terminate_at_end_of_billing_hour=dict(type='bool'),
-        token=dict(type='str'),
+        token=dict(type='str', no_log=True),
         unit=dict(type='str'),
         user_data=dict(type='str'),
         utilize_reserved_instances=dict(type='bool'),

@@ -146,7 +146,7 @@ def main():
     module = AnsibleModule(
         argument_spec=dict(
             user=dict(required=True),
-            api_key=dict(required=True),
+            api_key=dict(required=True, no_log=True),
             name=dict(required=False),
             title=dict(required=True),
             source=dict(required=False),

@@ -190,9 +190,9 @@ def main():
         argument_spec=dict(
             name=dict(required=False),
             service_id=dict(required=True),
-            service_key=dict(required=False),
-            integration_key=dict(required=False),
-            api_key=dict(required=True),
+            service_key=dict(required=False, no_log=True),
+            integration_key=dict(required=False, no_log=True),
+            api_key=dict(required=True, no_log=True),
             state=dict(required=True,
                        choices=['triggered', 'acknowledged', 'resolved']),
             client=dict(required=False, default=None),

@@ -305,7 +305,7 @@ def grid_secondaries_preferred_primaries_transform(module):
         address=dict(required=True, ib_req=True),
         name=dict(required=True, ib_req=True),
         stealth=dict(type='bool', default=False),
-        tsig_key=dict(),
+        tsig_key=dict(no_log=True),
         tsig_key_alg=dict(choices=['HMAC-MD5', 'HMAC-SHA256'], default='HMAC-MD5'),
         tsig_key_name=dict(required=True)
     )

@@ -202,7 +202,7 @@ def main():
         )),
         shared_secrets=dict(type='list', options=dict(
             external_gateway=dict(type='str'),
-            shared_secret=dict(type='str')
+            shared_secret=dict(type='str', no_log=True)
         )),
         tags=dict(type='list'),
         use_shared_secret=dict(type='bool'),

@@ -213,7 +213,7 @@ def main():
         satellite_gateways=dict(type='list'),
         shared_secrets=dict(type='list', options=dict(
             external_gateway=dict(type='str'),
-            shared_secret=dict(type='str')
+            shared_secret=dict(type='str', no_log=True)
         )),
         tags=dict(type='list'),
         use_shared_secret=dict(type='bool'),

@@ -1314,7 +1314,7 @@ def main():
         holding_multiplier=dict(type='str'),
         auth_mode=dict(type='str', choices=['simple', 'md5', 'none']),
         is_plain=dict(type='bool', default=False),
-        auth_key=dict(type='str'),
+        auth_key=dict(type='str', no_log=True),
         fast_resume=dict(type='str', choices=['enable', 'disable']),
         state=dict(type='str', default='present',
                    choices=['present', 'absent'])

@@ -169,7 +169,7 @@ def main():
         argument_spec=dict(
             iap_port=dict(type='str', required=True),
             iap_fqdn=dict(type='str', required=True),
-            token_key=dict(type='str', required=True),
+            token_key=dict(type='str', required=True, no_log=True),
             workflow_name=dict(type='str', required=True),
             description=dict(type='str', required=True),
             variables=dict(type='dict', required=False),

@@ -986,7 +986,7 @@ def main():
         secondarypassword=dict(type='str'),
         logonpointname=dict(type='str'),
         lasversion=dict(type='str'),
-        radkey=dict(type='str'),
+        radkey=dict(type='str', no_log=True),
         radnasid=dict(type='str'),
         radnasip=dict(type='str'),
         radaccounttype=dict(type='float'),

@@ -234,7 +234,7 @@ def default_aaa_server(existing, params, server_type):
 def main():
     argument_spec = dict(
         server_type=dict(type='str', choices=['radius', 'tacacs'], required=True),
-        global_key=dict(type='str'),
+        global_key=dict(type='str', no_log=True),
         encrypt_type=dict(type='str', choices=['0', '7']),
         deadtime=dict(type='str'),
         server_timeout=dict(type='str'),

@@ -482,7 +482,7 @@ def main():
         interface=dict(type='str', required=True),
         sparse=dict(type='bool', default=False),
         dr_prio=dict(type='str'),
-        hello_auth_key=dict(type='str'),
+        hello_auth_key=dict(type='str', no_log=True),
         hello_interval=dict(type='int'),
         jp_policy_out=dict(type='str'),
         jp_policy_in=dict(type='str'),

@@ -293,7 +293,7 @@ def main():
     argument_spec = dict(
         user=dict(required=True, type='str'),
         group=dict(type='str'),
-        pwd=dict(type='str'),
+        pwd=dict(type='str', no_log=True),
         privacy=dict(type='str'),
         authentication=dict(choices=['md5', 'sha']),
         encrypt=dict(type='bool'),

@@ -330,7 +330,7 @@ def main():
         admin_state=dict(required=False, type='str',
                          choices=['shutdown', 'no shutdown', 'default'],
                          default='shutdown'),
-        authentication=dict(required=False, type='str'),
+        authentication=dict(required=False, type='str', no_log=True),
         state=dict(choices=['absent', 'present'], required=False, default='present')
     )
     argument_spec.update(nxos_argument_spec)

@@ -544,7 +544,7 @@ def main():
         generate_sqlite=dict(default=False, type='bool'),
         feed_ca_cert=dict(aliases=['importer_ssl_ca_cert', 'ca_cert'], deprecated_aliases=[dict(name='ca_cert', version='2.14')]),
         feed_client_cert=dict(aliases=['importer_ssl_client_cert']),
-        feed_client_key=dict(aliases=['importer_ssl_client_key']),
+        feed_client_key=dict(aliases=['importer_ssl_client_key'], no_log=True),
         name=dict(required=True, aliases=['repo']),
         proxy_host=dict(),
         proxy_port=dict(),

@@ -304,7 +304,7 @@ def main():
         locked=dict(type='bool', default=False),
         access_level=dict(type='str', default='ref_protected', choices=["not_protected", "ref_protected"]),
         maximum_timeout=dict(type='int', default=3600),
-        registration_token=dict(type='str', required=True),
+        registration_token=dict(type='str', required=True, no_log=True),
         state=dict(type='str', default="present", choices=["absent", "present"]),
     ))
 

@@ -95,7 +95,7 @@ def main():
             cluster=dict(),
             domain=dict(),
             iscsi_chap_name=dict(),
-            iscsi_chap_secret=dict()
+            iscsi_chap_secret=dict(no_log=True)
         )
     )
 

@@ -142,8 +142,8 @@ def __init__(self):
             state=dict(required=True, choices=['present', 'absent']),
             element_username=dict(required=True, aliases=["account_id"], type='str'),
             from_name=dict(required=False, default=None),
-            initiator_secret=dict(required=False, type='str'),
-            target_secret=dict(required=False, type='str'),
+            initiator_secret=dict(required=False, type='str', no_log=True),
+            target_secret=dict(required=False, type='str', no_log=True),
             attributes=dict(required=False, type='dict'),
             status=dict(required=False, type='str'),
         ))

@@ -120,8 +120,8 @@ def __init__(self):
             account_id=dict(required=False, type='int', default=None),
 
             new_name=dict(required=False, type='str', default=None),
-            initiator_secret=dict(required=False, type='str'),
-            target_secret=dict(required=False, type='str'),
+            initiator_secret=dict(required=False, type='str', no_log=True),
+            target_secret=dict(required=False, type='str', no_log=True),
             attributes=dict(required=False, type='dict'),
             status=dict(required=False, type='str'),
         ))

@@ -319,7 +319,7 @@ def main():
             backend_user_suffix=dict(type='str', required=False, default=""),
             comment=dict(type='str', required=False, default=""),
             frontend_cookie=dict(type='str', required=False),
-            frontend_cookie_secret=dict(type='str', required=False),
+            frontend_cookie_secret=dict(type='str', required=False, no_log=True),
             frontend_form=dict(type='str', required=False),
             frontend_form_template=dict(type='str', required=False, default=""),
             frontend_login=dict(type='str', required=False),

@@ -57,7 +57,7 @@ def keycloak_argument_spec():
         auth_keycloak_url=dict(type='str', aliases=['url'], required=True),
         auth_client_id=dict(type='str', default='admin-cli'),
         auth_realm=dict(type='str', required=True),
-        auth_client_secret=dict(type='str', default=None),
+        auth_client_secret=dict(type='str', default=None, no_log=True),
         auth_username=dict(type='str', aliases=['username'], required=True),
         auth_password=dict(type='str', aliases=['password'], required=True, no_log=True),
         validate_certs=dict(type='bool', default=True)

@@ -139,8 +139,8 @@ def aws_cvs_host_argument_spec():
     return dict(
         api_url=dict(required=True, type='str'),
         validate_certs=dict(required=False, type='bool', default=True),
-        api_key=dict(required=True, type='str'),
-        secret_key=dict(required=True, type='str')
+        api_key=dict(required=True, type='str', no_log=True),
+        secret_key=dict(required=True, type='str', no_log=True)
     )
 
 

@@ -0,0 +1,45 @@
+security_fixes:
+  - _sf_account_manager - `initiator_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - _sf_account_manager - `target_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - ce_vrrp - `auth_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - docker_swarm - `signing_ca_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_backend_service - `oauth2_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_disk - `disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_disk - `source_image_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_disk - `source_snapshot_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_image - `image_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_image - `source_disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_instance_template - `disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_instance_template - `source_image_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_region_disk - `disk_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_region_disk - `source_snapshot_encryption_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_ssl_certificate - `private_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_compute_vpn_tunnel - `shared_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gcp_sql_instance - `client_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - gitlab_runner - `registration_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - iap_start_workflow - `token_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - ibm_sa_host - `iscsi_chap_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - keycloak_client - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - keycloak_clienttemplate - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - keycloak_group - `auth_client_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - librato_annotation - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - na_elementsw_account - `initiator_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - na_elementsw_account - `target_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - netscaler_lb_monitor - `radkey` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - nios_nsgroup - `tsig_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - nxos_aaa_server - `global_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - nxos_pim_interface - `hello_auth_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - oneandone_firewall_policy - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - oneandone_load_balancer - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - oneandone_monitoring_policy - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - oneandone_private_network - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - oneandone_public_ip - `auth_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - ovirt - `instance_rootpw` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - pagerduty_alert - `api_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - pagerduty_alert - `integration_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - pagerduty_alert - `service_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - pulp_repo - `feed_client_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - rax_clb_ssl - `private_key` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - spotinst_aws_elastigroup - `multai_token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - spotinst_aws_elastigroup - `token` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).
+  - utm_proxy_auth_profile - `frontend_cookie_secret` is now masked with no_log and no longer emitted in logging/output (CVE-2021-20191).

@@ -620,7 +620,7 @@ def main():
         name=dict(type='str'),
         labels=dict(type='dict'),
         signing_ca_cert=dict(type='str'),
-        signing_ca_key=dict(type='str'),
+        signing_ca_key=dict(type='str', no_log=True),
         ca_force_rotate=dict(type='int'),
         autolock_managers=dict(type='bool'),
         node_id=dict(type='str'),

@@ -686,7 +686,11 @@ def main():
             health_checks=dict(required=True, type='list', elements='str'),
             iap=dict(
                 type='dict',
-                options=dict(enabled=dict(type='bool'), oauth2_client_id=dict(required=True, type='str'), oauth2_client_secret=dict(required=True, type='str')),
+                options=dict(
+                    enabled=dict(type='bool'),
+                    oauth2_client_id=dict(required=True, type='str'),
+                    oauth2_client_secret=dict(required=True, type='str', no_log=True),
+                ),
             ),
             load_balancing_scheme=dict(default='EXTERNAL', type='str', choices=['INTERNAL', 'EXTERNAL']),
             name=dict(required=True, type='str'),

@@ -440,10 +440,10 @@ def main():
             type=dict(type='str'),
             source_image=dict(type='str'),
             zone=dict(required=True, type='str'),
-            source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),
-            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),
+            source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),
+            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),
             source_snapshot=dict(type='dict'),
-            source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), kms_key_name=dict(type='str'))),
+            source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True), kms_key_name=dict(type='str'))),
         )
     )
 

@@ -444,7 +444,7 @@ def main():
             disk_size_gb=dict(type='int'),
             family=dict(type='str'),
             guest_os_features=dict(type='list', elements='dict', options=dict(type=dict(type='str', choices=['VIRTIO_SCSI_MULTIQUEUE']))),
-            image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
+            image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
             labels=dict(type='dict'),
             licenses=dict(type='list', elements='str'),
             name=dict(required=True, type='str'),
@@ -453,7 +453,7 @@ def main():
                 options=dict(container_type=dict(type='str', choices=['TAR']), sha1_checksum=dict(type='str'), source=dict(required=True, type='str')),
             ),
             source_disk=dict(type='dict'),
-            source_disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
+            source_disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
             source_disk_id=dict(type='str'),
             source_type=dict(type='str', choices=['RAW']),
         )

@@ -863,7 +863,13 @@ def main():
                             auto_delete=dict(type='bool'),
                             boot=dict(type='bool'),
                             device_name=dict(type='str'),
-                            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'), rsa_encrypted_key=dict(type='str'))),
+                            disk_encryption_key=dict(
+                                type='dict',
+                                options=dict(
+                                    raw_key=dict(type='str', no_log=True),
+                                    rsa_encrypted_key=dict(type='str', no_log=True),
+                                ),
+                            ),
                             index=dict(type='int'),
                             initialize_params=dict(
                                 type='dict',
@@ -872,7 +878,7 @@ def main():
                                     disk_size_gb=dict(type='int'),
                                     disk_type=dict(type='str'),
                                     source_image=dict(type='str'),
-                                    source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
+                                    source_image_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
                                 ),
                             ),
                             interface=dict(type='str', choices=['SCSI', 'NVME']),

@@ -354,9 +354,9 @@ def main():
             replica_zones=dict(required=True, type='list', elements='str'),
             type=dict(type='str'),
             region=dict(required=True, type='str'),
-            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
+            disk_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
             source_snapshot=dict(type='dict'),
-            source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str'))),
+            source_snapshot_encryption_key=dict(type='dict', options=dict(raw_key=dict(type='str', no_log=True))),
         )
     )
 

@@ -163,7 +163,7 @@ def main():
             certificate=dict(required=True, type='str'),
             description=dict(type='str'),
             name=dict(type='str'),
-            private_key=dict(required=True, type='str'),
+            private_key=dict(required=True, type='str', no_log=True),
         )
     )
 

@@ -269,7 +269,7 @@ def main():
             target_vpn_gateway=dict(required=True, type='dict'),
             router=dict(type='dict'),
             peer_ip=dict(required=True, type='str'),
-            shared_secret=dict(required=True, type='str'),
+            shared_secret=dict(required=True, type='str', no_log=True),
             ike_version=dict(default=2, type='int'),
             local_traffic_selector=dict(type='list', elements='str'),
             remote_traffic_selector=dict(type='list', elements='str'),

@@ -626,7 +626,7 @@ def main():
                         options=dict(
                             ca_certificate=dict(type='str'),
                             client_certificate=dict(type='str'),
-                            client_key=dict(type='str'),
+                            client_key=dict(type='str', no_log=True),
                             connect_retry_interval=dict(type='int'),
                             dump_file_path=dict(type='str'),
                             master_heartbeat_period=dict(type='int'),

@@ -380,7 +380,7 @@ def main():
             instance_gateway=dict(type='str', aliases=['gateway']),
             instance_domain=dict(type='str', aliases=['domain']),
             instance_dns=dict(type='str', aliases=['dns']),
-            instance_rootpw=dict(type='str', aliases=['rootpw']),
+            instance_rootpw=dict(type='str', aliases=['rootpw'], no_log=True),
             instance_key=dict(type='str', aliases=['key']),
             sdomain=dict(type='str'),
             region=dict(type='str'),

@@ -504,7 +504,8 @@ def main():
         argument_spec=dict(
             auth_token=dict(
                 type='str',
-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
+                no_log=True),
             api_url=dict(
                 type='str',
                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -595,7 +595,8 @@ def main():
         argument_spec=dict(
             auth_token=dict(
                 type='str',
-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
+                no_log=True),
             api_url=dict(
                 type='str',
                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -950,7 +950,8 @@ def main():
         argument_spec=dict(
             auth_token=dict(
                 type='str',
-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
+                no_log=True),
             api_url=dict(
                 type='str',
                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -384,7 +384,8 @@ def main():
         argument_spec=dict(
             auth_token=dict(
                 type='str',
-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
+                no_log=True),
             api_url=dict(
                 type='str',
                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -277,7 +277,8 @@ def main():
         argument_spec=dict(
             auth_token=dict(
                 type='str',
-                default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
+                default=os.environ.get('ONEANDONE_AUTH_TOKEN'),
+                no_log=True),
             api_url=dict(
                 type='str',
                 default=os.environ.get('ONEANDONE_API_URL')),

@@ -236,7 +236,7 @@ def main():
         loadbalancer=dict(required=True),
         state=dict(default='present', choices=['present', 'absent']),
         enabled=dict(type='bool', default=True),
-        private_key=dict(),
+        private_key=dict(no_log=True),
         certificate=dict(),
         intermediate_certificate=dict(),
         secure_port=dict(type='int', default=443),

@@ -1438,7 +1438,7 @@ def main():
         min_size=dict(type='int', required=True),
         monitoring=dict(type='str'),
         multai_load_balancers=dict(type='list'),
-        multai_token=dict(type='str'),
+        multai_token=dict(type='str', no_log=True),
         name=dict(type='str', required=True),
         network_interfaces=dict(type='list'),
         on_demand_count=dict(type='int'),
@@ -1462,7 +1462,7 @@ def main():
         target_group_arns=dict(type='list'),
         tenancy=dict(type='str'),
         terminate_at_end_of_billing_hour=dict(type='bool'),
-        token=dict(type='str'),
+        token=dict(type='str', no_log=True),
         unit=dict(type='str'),
         user_data=dict(type='str'),
         utilize_reserved_instances=dict(type='bool'),

@@ -146,7 +146,7 @@ def main():
     module = AnsibleModule(
         argument_spec=dict(
             user=dict(required=True),
-            api_key=dict(required=True),
+            api_key=dict(required=True, no_log=True),
             name=dict(required=False),
             title=dict(required=True),
             source=dict(required=False),

@@ -190,9 +190,9 @@ def main():
         argument_spec=dict(
             name=dict(required=False),
             service_id=dict(required=True),
-            service_key=dict(require=False),
-            integration_key=dict(require=False),
-            api_key=dict(required=True),
+            service_key=dict(required=False, no_log=True),
+            integration_key=dict(required=False, no_log=True),
+            api_key=dict(required=True, no_log=True),
             state=dict(required=True,
                        choices=['triggered', 'acknowledged', 'resolved']),
             client=dict(required=False, default=None),

@@ -305,7 +305,7 @@ def grid_secondaries_preferred_primaries_transform(module):
         address=dict(required=True, ib_req=True),
         name=dict(required=True, ib_req=True),
         stealth=dict(type='bool', default=False),
-        tsig_key=dict(),
+        tsig_key=dict(no_log=True),
         tsig_key_alg=dict(choices=['HMAC-MD5', 'HMAC-SHA256'], default='HMAC-MD5'),
         tsig_key_name=dict(required=True)
     )

@@ -1316,7 +1316,7 @@ def main():
         holding_multiplier=dict(type='str'),
         auth_mode=dict(type='str', choices=['simple', 'md5', 'none']),
         is_plain=dict(type='bool', default=False),
-        auth_key=dict(type='str'),
+        auth_key=dict(type='str', no_log=True),
         fast_resume=dict(type='str', choices=['enable', 'disable']),
         state=dict(type='str', default='present',
                    choices=['present', 'absent'])

@@ -169,7 +169,7 @@ def main():
         argument_spec=dict(
             iap_port=dict(type='str', required=True),
             iap_fqdn=dict(type='str', required=True),
-            token_key=dict(type='str', required=True),
+            token_key=dict(type='str', required=True, no_log=True),
             workflow_name=dict(type='str', required=True),
             description=dict(type='str', required=True),
             variables=dict(type='dict', required=False),

@@ -986,7 +986,7 @@ def main():
         secondarypassword=dict(type='str'),
         logonpointname=dict(type='str'),
         lasversion=dict(type='str'),
-        radkey=dict(type='str'),
+        radkey=dict(type='str', no_log=True),
         radnasid=dict(type='str'),
         radnasip=dict(type='str'),
         radaccounttype=dict(type='float'),

@@ -234,7 +234,7 @@ def default_aaa_server(existing, params, server_type):
 def main():
     argument_spec = dict(
         server_type=dict(type='str', choices=['radius', 'tacacs'], required=True),
-        global_key=dict(type='str'),
+        global_key=dict(type='str', no_log=True),
         encrypt_type=dict(type='str', choices=['0', '7']),
         deadtime=dict(type='str'),
         server_timeout=dict(type='str'),

@@ -435,7 +435,7 @@ def main():
         interface=dict(type='str', required=True),
         sparse=dict(type='bool', default=False),
         dr_prio=dict(type='str'),
-        hello_auth_key=dict(type='str'),
+        hello_auth_key=dict(type='str', no_log=True),
         hello_interval=dict(type='int'),
         jp_policy_out=dict(type='str'),
         jp_policy_in=dict(type='str'),

@@ -293,7 +293,7 @@ def main():
     argument_spec = dict(
         user=dict(required=True, type='str'),
         group=dict(type='str'),
-        pwd=dict(type='str'),
+        pwd=dict(type='str', no_log=True),
         privacy=dict(type='str'),
         authentication=dict(choices=['md5', 'sha']),
         encrypt=dict(type='bool'),

@@ -330,7 +330,7 @@ def main():
         admin_state=dict(required=False, type='str',
                          choices=['shutdown', 'no shutdown', 'default'],
                          default='shutdown'),
-        authentication=dict(required=False, type='str'),
+        authentication=dict(required=False, type='str', no_log=True),
         state=dict(choices=['absent', 'present'], required=False, default='present')
     )
     argument_spec.update(nxos_argument_spec)

@@ -537,7 +537,7 @@ def main():
         generate_sqlite=dict(default=False, type='bool'),
         ca_cert=dict(aliases=['importer_ssl_ca_cert']),
         client_cert=dict(aliases=['importer_ssl_client_cert']),
-        client_key=dict(aliases=['importer_ssl_client_key']),
+        client_key=dict(aliases=['importer_ssl_client_key'], no_log=True),
         name=dict(required=True, aliases=['repo']),
         proxy_host=dict(),
         proxy_port=dict(),

@@ -304,7 +304,7 @@ def main():
         locked=dict(type='bool', default=False),
         access_level=dict(type='str', default='ref_protected', choices=["not_protected", "ref_protected"]),
         maximum_timeout=dict(type='int', default=3600),
-        registration_token=dict(type='str', required=True),
+        registration_token=dict(type='str', required=True, no_log=True),
         state=dict(type='str', default="present", choices=["absent", "present"]),
     ))
 

@@ -95,7 +95,7 @@ def main():
             cluster=dict(),
             domain=dict(),
             iscsi_chap_name=dict(),
-            iscsi_chap_secret=dict()
+            iscsi_chap_secret=dict(no_log=True)
         )
     )
 

@@ -142,8 +142,8 @@ def __init__(self):
             state=dict(required=True, choices=['present', 'absent']),
             element_username=dict(required=True, aliases=["account_id"], type='str'),
             from_name=dict(required=False, default=None),
-            initiator_secret=dict(required=False, type='str'),
-            target_secret=dict(required=False, type='str'),
+            initiator_secret=dict(required=False, type='str', no_log=True),
+            target_secret=dict(required=False, type='str', no_log=True),
             attributes=dict(required=False, type='dict'),
             status=dict(required=False, type='str'),
         ))

@@ -120,8 +120,8 @@ def __init__(self):
             account_id=dict(required=False, type='int', default=None),
 
             new_name=dict(required=False, type='str', default=None),
-            initiator_secret=dict(required=False, type='str'),
-            target_secret=dict(required=False, type='str'),
+            initiator_secret=dict(required=False, type='str', no_log=True),
+            target_secret=dict(required=False, type='str', no_log=True),
             attributes=dict(required=False, type='dict'),
             status=dict(required=False, type='str'),
         ))

@@ -319,7 +319,7 @@ def main():
             backend_user_suffix=dict(type='str', required=False, default=""),
             comment=dict(type='str', required=False, default=""),
             frontend_cookie=dict(type='str', required=False),
-            frontend_cookie_secret=dict(type='str', required=False),
+            frontend_cookie_secret=dict(type='str', required=False, no_log=True),
             frontend_form=dict(type='str', required=False),
             frontend_form_template=dict(type='str', required=False, default=""),
             frontend_login=dict(type='str', required=False),

@@ -57,7 +57,7 @@ def keycloak_argument_spec():
         auth_keycloak_url=dict(type='str', aliases=['url'], required=True),
         auth_client_id=dict(type='str', default='admin-cli'),
         auth_realm=dict(type='str', required=True),
-        auth_client_secret=dict(type='str', default=None),
+        auth_client_secret=dict(type='str', default=None, no_log=True),
         auth_username=dict(type='str', aliases=['username'], required=True),
         auth_password=dict(type='str', aliases=['password'], required=True, no_log=True),
         validate_certs=dict(type='bool', default=True)