From 61d60d07d1aaf2d270814921ece58db5e7c5ffec Mon Sep 17 00:00:00 2001
From: Alex Stephen <alexstephen@google.com>
Date: Tue, 6 Aug 2019 13:27:11 -0700
Subject: [PATCH] no logging for service account contents (#60149)

* no logging for service account contents

* changelog

* fixes
---
 changelogs/fragments/gcp_fixes.yml       | 2 ++
 lib/ansible/module_utils/gcp_utils.py    | 3 ++-
 lib/ansible/plugins/doc_fragments/gcp.py | 6 ++----
 3 files changed, 6 insertions(+), 5 deletions(-)
 create mode 100644 changelogs/fragments/gcp_fixes.yml

diff --git a/changelogs/fragments/gcp_fixes.yml b/changelogs/fragments/gcp_fixes.yml
new file mode 100644
index 00000000000..3cc57c98786
--- /dev/null
+++ b/changelogs/fragments/gcp_fixes.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - Add no_log to credentials field to avoid disclosures, also switch type to jsonarg to avoid having users responsible for transformations.
diff --git a/lib/ansible/module_utils/gcp_utils.py b/lib/ansible/module_utils/gcp_utils.py
index ec8c73e6ed6..1ef97c46f7b 100644
--- a/lib/ansible/module_utils/gcp_utils.py
+++ b/lib/ansible/module_utils/gcp_utils.py
@@ -214,7 +214,8 @@ class GcpModule(AnsibleModule):
                 service_account_contents=dict(
                     required=False,
                     fallback=(env_fallback, ['GCP_SERVICE_ACCOUNT_CONTENTS']),
-                    type='str'),
+                    no_log=True,
+                    type='jsonarg'),
                 scopes=dict(
                     required=False,
                     fallback=(env_fallback, ['GCP_SCOPES']),
diff --git a/lib/ansible/plugins/doc_fragments/gcp.py b/lib/ansible/plugins/doc_fragments/gcp.py
index 60a98d054b5..a73389921b4 100644
--- a/lib/ansible/plugins/doc_fragments/gcp.py
+++ b/lib/ansible/plugins/doc_fragments/gcp.py
@@ -20,10 +20,8 @@ options:
         choices: [ application, machineaccount, serviceaccount ]
     service_account_contents:
         description:
-            - A string representing the contents of a Service Account JSON file.
-            - This should not be passed in as a dictionary, but a string
-              that has the exact contents of a service account json file (valid JSON)
-        type: str
+            - The contents of a Service Account JSON file, either in a dictionary or as a JSON string that represents it.
+        type: jsonarg
     service_account_file:
         description:
             - The path of a Service Account JSON file if serviceaccount is selected as type.