Problem Description:
When using Ansible to manage infrastructure and application deployments, secret variables (such as passwords, API keys, and other sensitive data) are sometimes displayed in the task output. We can achieve this by using no_log: true, however, the entire task output is hidden when we use no_log: true. We must need output with secrets masked.

In the Ansible Automation platform, if we use surveys with passwords as a category then those are getting redacted. However, if we pass as extra vars or any variables either from credentials or from a playbook, the secrets are not redacted like in survey type.

Would need to be implemented for the users to choose which variables are secrets, depending on that those need to be redacted or hidden
This poses a significant security risk, particularly in shared environments, logs, or during debugging sessions, where unintended exposure of sensitive data may occur.

Feature Request:
We would like Red Hat to implement a feature in Ansible that allows for automated redaction of secret variables in the output logs, ensuring that sensitive information is never exposed.

The feature should work as follows:
1. Identify and redact secret variables or specific patterns in the output.
2. Be configurable to allow users to define which variables or data patterns should be treated as sensitive.
3. Be compatible with no_log: true and extend its capabilities by ensuring that sensitive data in nested structures or unexpected outputs is also redacted.
4. Provide options for partial redaction (e.g., displaying ******** or the first/last few characters).

Expected Benefits:

• Enhanced Security: Ensures sensitive data is not inadvertently exposed.
• Improved Compliance: Helps meet compliance requirements for data protection and auditing.
• Ease of Use: Simplifies secret management, especially in environments with complex playbooks.

Relevant Use Cases:

• Managing cloud resources where API keys are used in module execution.
• Deploying applications where passwords or tokens are passed to Ansible tasks.
• Debugging large playbooks with detailed output that may inadvertently expose secrets.

Additional Details:

• Current Ansible Automation Platform version in use: 2.4
• Ansible environment: [Specify details, e.g., AWX/Ansible Automation Platform, CLI, etc.]
• Example of a task output where sensitive data is exposed:

  TASK [Deploy application] *********************************************************
  fatal: [target-host]: FAILED! => {"msg": "The task includes an option with an undefined variable: {{ api_key }}"}

Steps Taken:

• Implemented no_log: true for tasks, but the output is completely hidden
• Reviewed Ansible documentation and community forums but did not find a complete solution for automated redaction.

Suggested Approach:
We recommend developing a feature in collaboration with the Red Hat community and enterprise users. This could involve enhancing the core logging system or introducing plugins to handle secret redaction dynamically.
**

Urgency:
Please indicate if this feature request is critical or has a specific timeline due to compliance or operational requirements.