feat: new variable postgresql_secure_logging defaulting to true

[spetrosi]

Feature: Introduce the postgresql_secure_logging variable that defaults to true and using verbosity-based logging for facts modules.

Reason: Currently, all sensitive tasks use hard-coded no_log: true, which makes debugging difficult. Users cannot see credential-related output even when troubleshooting authentication or secret management issues. Additionally, package_facts produces verbose output that clutters logs during normal operation.

Result:

• Tasks handling credentials, secrets, and sensitive data now use no_log: "{{ postgresql_secure_logging }}", allowing users to set postgresql_secure_logging: false for debugging while maintaining secure defaults (true)
• package_facts now uses no_log: "{{ ansible_verbosity < 2 }}", hiding verbose output unless -vv or higher verbosity is specified
• New variable postgresql_secure_logging documented in README.md with guidance on when to disable it
• Users can now debug credential and secret issues without modifying role code

🤖 Generated with Claude Code

Summary by Sourcery

Introduce a configurable secure logging toggle and adjust logging behavior for sensitive tasks and facts gathering.

New Features:

• Add the postgresql_secure_logging variable to control logging of sensitive tasks, defaulting to true.

Enhancements:

• Gate sensitive credential-handling tasks' no_log behavior on postgresql_secure_logging to allow controlled debugging.
• Suppress package_facts output by default and only show it at higher Ansible verbosity levels.
• Document the postgresql_secure_logging variable and its usage in the README.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Introduces a configurable secure-logging toggle and verbosity-based no_log behavior, replacing hard-coded no_log: true on sensitive tasks and reducing default noise from package_facts while documenting the new behavior.

Sequence diagram for Ansible logging behavior with postgresql_secure_logging

sequenceDiagram
    actor User
    participant AnsibleController
    participant RoleDefaults
    participant TaskPackageFacts
    participant TaskSetPostgresPassword

    User->>AnsibleController: Run playbook with verbosity
    AnsibleController->>RoleDefaults: Load defaults
    RoleDefaults-->>AnsibleController: postgresql_secure_logging = true

    AnsibleController->>TaskPackageFacts: Execute package_facts
    TaskPackageFacts->>TaskPackageFacts: Evaluate no_log as ansible_verbosity < 2
    alt ansible_verbosity < 2
        TaskPackageFacts-->>AnsibleController: Package facts (no_log enabled)
    else ansible_verbosity >= 2
        TaskPackageFacts-->>AnsibleController: Package facts (no_log disabled)
    end

    AnsibleController->>TaskSetPostgresPassword: Execute psql ALTER USER
    TaskSetPostgresPassword->>TaskSetPostgresPassword: Evaluate no_log as postgresql_secure_logging
    alt postgresql_secure_logging == true
        TaskSetPostgresPassword-->>AnsibleController: Password change (no_log enabled)
    else postgresql_secure_logging == false
        TaskSetPostgresPassword-->>AnsibleController: Password change (no_log disabled)
    end

    AnsibleController-->>User: Display logs based on no_log settings

Loading

Flow diagram for secure logging and verbosity-based no_log decisions

flowchart TD
    A[Start Ansible run] --> B[Load role defaults]
    B --> C[postgresql_secure_logging default true]

    C --> D[Run package_facts task]
    D --> E{Is ansible_verbosity < 2}
    E -->|Yes| F[Set no_log true for package_facts]
    E -->|No| G[Set no_log false for package_facts]

    F --> H[Package facts collected without verbose output]
    G --> H

    H --> I[Run password update task]
    I --> J{postgresql_secure_logging value}
    J -->|true| K[Set no_log true for password task]
    J -->|false| L[Set no_log false for password task]

    K --> M[Hide sensitive data in logs]
    L --> N[Expose sensitive data for debugging]

    M --> O[Ansible output respects no_log]
    N --> O

    O --> P[End]

Loading

File-Level Changes

Change	Details	Files
Make secure logging behavior configurable via a new role default variable.	Add postgresql_secure_logging: true to role defaults to control no_log on sensitive tasks. Document the new variable, its purpose, default, and safe usage patterns in README.md.	defaults/main.yml README.md
Adjust logging behavior for facts gathering and credential-handling tasks.	Set package_facts task to use no_log: "{{ ansible_verbosity < 2 }}" so output is shown only at -vv or higher. Replace hard-coded no_log: true on the postgres password ALTER USER command with no_log: "{{ postgresql_secure_logging }}" to respect the new toggle.	tasks/main.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• When using postgresql_secure_logging to control no_log, consider coercing it explicitly to a boolean (e.g. no_log: "{{ postgresql_secure_logging | bool }}") so that string values like "false" from inventories don’t accidentally evaluate as truthy.
• For the package_facts task, it may be safer to cast ansible_verbosity to an integer in the expression (e.g. no_log: "{{ (ansible_verbosity | int) < 2 }}") to avoid any unexpected comparison issues if the variable is not already an integer.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- When using `postgresql_secure_logging` to control `no_log`, consider coercing it explicitly to a boolean (e.g. `no_log: "{{ postgresql_secure_logging | bool }}"`) so that string values like `"false"` from inventories don’t accidentally evaluate as truthy.
- For the `package_facts` task, it may be safer to cast `ansible_verbosity` to an integer in the expression (e.g. `no_log: "{{ (ansible_verbosity | int) < 2 }}"`) to avoid any unexpected comparison issues if the variable is not already an integer.

## Individual Comments

### Comment 1
<location path="tasks/main.yml" line_range="137" />
<code_context>
           psql -c "ALTER USER postgres WITH ENCRYPTED PASSWORD
           '{{ postgresql_password }}';"
-      no_log: true
+      no_log: "{{ postgresql_secure_logging }}"
       changed_when: false

</code_context>
<issue_to_address>
**nitpick:** Avoid quoting the Jinja expression so `no_log` is treated as a native boolean.

Quoting here makes `no_log` a string (`"True"`/`"False"`), which Ansible will usually coerce, but it’s clearer and safer to keep it as a native boolean. Drop the quotes and rely on the template to yield a boolean:

```yaml
no_log: {{ postgresql_secure_logging }}
```

Please apply the same change to the earlier `no_log` that depends on `ansible_verbosity`.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

nitpick: Avoid quoting the Jinja expression so no_log is treated as a native boolean.

Quoting here makes no_log a string ("True"/"False"), which Ansible will usually coerce, but it’s clearer and safer to keep it as a native boolean. Drop the quotes and rely on the template to yield a boolean:

no_log: {{ postgresql_secure_logging }}

Please apply the same change to the earlier no_log that depends on ansible_verbosity.