only record task.args in the callback plugin if DISPLAY_ARGS_TO_STDOUT

see: https://github.com/ansible/awx/issues/1633

awx/lib/awx_display_callback/module.py

@@ -28,6 +28,7 @@ import uuid
 from copy import copy
 
 # Ansible
+from ansible import constants as C
 from ansible.plugins.callback import CallbackBase
 from ansible.plugins.callback.default import CallbackModule as DefaultCallbackModule
 
@@ -126,16 +127,19 @@ class BaseCallbackModule(CallbackBase):
             task=(task.name or task.action),
             task_uuid=str(task._uuid),
             task_action=task.action,
+            task_args='',
         )
         try:
             task_ctx['task_path'] = task.get_path()
         except AttributeError:
             pass
-        if task.no_log:
+
-            task_ctx['task_args'] = "the output has been hidden due to the fact that 'no_log: true' was specified for this result"
+        if C.DISPLAY_ARGS_TO_STDOUT:
-        else:
+            if task.no_log:
-            task_args = ', '.join(('%s=%s' % a for a in task.args.items()))
+                task_ctx['task_args'] = "the output has been hidden due to the fact that 'no_log: true' was specified for this result"
-            task_ctx['task_args'] = task_args
+            else:
+                task_args = ', '.join(('%s=%s' % a for a in task.args.items()))
+                task_ctx['task_args'] = task_args
         if getattr(task, '_role', None):
             task_role = task._role._role_name
         else:

awx/lib/tests/test_display_callback.py

@@ -186,14 +186,16 @@ def test_callback_plugin_no_log_filters(executor, cache, playbook):
 
 @pytest.mark.parametrize('playbook', [
 {'no_log_on_ok.yml': '''
-- name: args should not be logged when task-level no_log is set
+- name: args should not be logged when no_log is set at the task or module level
   connection: local
   hosts: all
   gather_facts: no
   tasks:
-    - shell: echo "SENSITIVE"
+    - shell: echo "PUBLIC"
     - shell: echo "PRIVATE"
       no_log: true
+    - uri: uri=https://example.org username="PUBLIC" password="PRIVATE"
+    - copy: content="PRIVATE" destination="/tmp/tmp_no_log"
 '''},  # noqa
 ])
 def test_callback_plugin_task_args_leak(executor, cache, playbook):
@@ -204,15 +206,13 @@ def test_callback_plugin_task_args_leak(executor, cache, playbook):
 
     # task 1
     assert events[2]['event'] == 'playbook_on_task_start'
-    assert 'SENSITIVE' in events[2]['event_data']['task_args']
     assert events[3]['event'] == 'runner_on_ok'
-    assert 'SENSITIVE' in events[3]['event_data']['task_args']
 
     # task 2 no_log=True
     assert events[4]['event'] == 'playbook_on_task_start'
-    assert events[4]['event_data']['task_args'] == "the output has been hidden due to the fact that 'no_log: true' was specified for this result"  # noqa
     assert events[5]['event'] == 'runner_on_ok'
-    assert events[5]['event_data']['task_args'] == "the output has been hidden due to the fact that 'no_log: true' was specified for this result"  # noqa
+    assert 'PUBLIC' in json.dumps(cache.items())
+    assert 'PRIVATE' not in json.dumps(cache.items())
 
 
 @pytest.mark.parametrize('playbook', [

awx/main/models/events.py

@@ -235,12 +235,6 @@ class BasePlaybookEvent(CreatedModifiedModel):
             if res.get('changed', False):
                 self.changed = True
                 updated_fields.add('changed')
-            # If we're not in verbose mode, wipe out any module arguments.
-            invocation = res.get('invocation', None)
-            if isinstance(invocation, dict) and self.job_verbosity == 0 and 'module_args' in invocation:
-                event_data['res']['invocation']['module_args'] = ''
-                self.event_data = event_data
-                updated_fields.add('event_data')
         if self.event == 'playbook_on_stats':
             try:
                 failures_dict = event_data.get('failures', {})