prevent the admin command to be logged in debug mode

provision/aws/rosa_oc_login.sh

@@ -17,6 +17,7 @@ SECRET_MANAGER_REGION="eu-central-1"
 API_URL=$(rosa describe cluster -c "$CLUSTER_NAME" -o json | jq -r '.api.url')
 
 if [[ "$RUNNER_DEBUG" == "1" ]]; then
+  # prevent logging the password in debug mode
   set +x
 fi
 ADMIN_PASSWORD=$(aws secretsmanager get-secret-value --region $SECRET_MANAGER_REGION --secret-id $KEYCLOAK_MASTER_PASSWORD_SECRET_NAME --query SecretString --output text --no-cli-pager)

provision/aws/rosa_recreate_admin.sh

@@ -12,14 +12,16 @@ fi
 CLUSTER_NAME=${CLUSTER_NAME:-$(whoami)}
 if [ -z "$CLUSTER_NAME" ]; then echo "Variable CLUSTER_NAME needs to be set."; exit 1; fi
 
+if [[ "$RUNNER_DEBUG" == "1" ]]; then
+  # prevent logging the password in debug mode
+  set +x
+fi
+
 KEYCLOAK_MASTER_PASSWORD_SECRET_NAME=${KEYCLOAK_MASTER_PASSWORD_SECRET_NAME:-"keycloak-master-password"}
 # Force eu-central-1 region for secrets manager so we all work with the same secret
 SECRET_MANAGER_REGION="eu-central-1"
 ADMIN_PASSWORD=${ADMIN_PASSWORD:-$(aws secretsmanager get-secret-value --region $SECRET_MANAGER_REGION --secret-id $KEYCLOAK_MASTER_PASSWORD_SECRET_NAME --query SecretString --output text --no-cli-pager)}
 
-if [[ "$RUNNER_DEBUG" == "1" ]]; then
-  set +x
-fi
 if [ -z "$ADMIN_PASSWORD" ]; then
   ./aws_rotate_keycloak_master_password.sh
   ADMIN_PASSWORD=$(aws secretsmanager get-secret-value --region $SECRET_MANAGER_REGION --secret-id $KEYCLOAK_MASTER_PASSWORD_SECRET_NAME --query SecretString --output text --no-cli-pager)
@@ -28,6 +30,7 @@ fi
 if [ "$GITHUB_ACTIONS" != "" ]; then
   echo "::add-mask::${ADMIN_PASSWORD}"
 fi
+
 if [[ "$RUNNER_DEBUG" == "1" ]]; then
   set -x
 fi