Make sure debug files are 0600

docker/config/debug.tf

@@ -1,5 +1,6 @@
 resource "local_file" "config" {
-  count    = var.debug ? 1 : 0
-  content  = var.value
-  filename = "${path.root}/.debug/docker/${var.stack_name}/configs/${local.file_name}"
+  count           = var.debug ? 1 : 0
+  content         = var.value
+  filename        = "${path.root}/.debug/docker/${var.stack_name}/configs/${local.file_name}"
+  file_permission = "0600"
 }

products/docker_registry/registry.tf

@@ -58,8 +58,9 @@ module "docker_registry_config" {
   value = yamlencode(local.registry_config_yaml)
 }
 resource "local_file" "docker_registry_config_yml" {
-  content  = yamlencode(local.registry_config_yaml)
-  filename = "${path.root}/.debug/docker-registry/config.yml"
+  content         = yamlencode(local.registry_config_yaml)
+  filename        = "${path.root}/.debug/docker-registry/config.yml"
+  file_permission = "0600"
 }
 
 # Registry Service

products/nginx/default_page.tf

@@ -6,14 +6,16 @@ resource "docker_config" "default_page" {
   data = base64encode(local.default_page)
 }
 resource "local_file" "default_page" {
-  content  = base64decode(docker_config.default_page.data)
-  filename = "${path.root}/.debug/nginx/index.html"
+  content         = base64decode(docker_config.default_page.data)
+  filename        = "${path.root}/.debug/nginx/index.html"
+  file_permission = "0600"
 }
 resource "docker_config" "default_conf" {
   name = "${var.service_name}.default.conf-${substr(sha1(file("${path.module}/default.conf")), 0, 4)}"
   data = base64encode(file("${path.module}/default.conf"))
 }
 resource "local_file" "default_conf" {
-  content  = base64decode(docker_config.default_conf.data)
-  filename = "${path.root}/.debug/nginx/default.conf"
+  content         = base64decode(docker_config.default_conf.data)
+  filename        = "${path.root}/.debug/nginx/default.conf"
+  file_permission = "0600"
 }

products/nginx/site-available/basic-auth.tf

@@ -16,7 +16,8 @@ resource "docker_config" "auth" {
   data  = base64encode(local.auth)
 }
 resource "local_file" "auth" {
-  count    = var.basic_auth != null ? 1 : 0
-  content  = local.auth
-  filename = "${path.root}/.debug/nginx/${local.filenames.auth}"
+  count           = var.basic_auth != null ? 1 : 0
+  content         = local.auth
+  filename        = "${path.root}/.debug/nginx/${local.filenames.auth}"
+  file_permission = "0600"
 }

products/nginx/site-available/cert.tf

@@ -7,9 +7,10 @@ resource "docker_config" "certificate" {
   }
 }
 resource "local_file" "certificate" {
-  count    = var.certificate != null ? 1 : 0
-  content  = local.cert_public
-  filename = "${path.root}/.debug/nginx/${local.filenames.certificate}"
+  count           = var.certificate != null ? 1 : 0
+  content         = local.cert_public
+  filename        = "${path.root}/.debug/nginx/${local.filenames.certificate}"
+  file_permission = "0600"
 }
 resource "docker_config" "certificate_key" {
   count = var.certificate != null ? 1 : 0
@@ -20,7 +21,8 @@ resource "docker_config" "certificate_key" {
   }
 }
 resource "local_file" "certificate_key" {
-  count    = var.certificate != null ? 1 : 0
-  content  = var.certificate.private_key_pem
-  filename = "${path.root}/.debug/nginx/${local.filenames.certificate_key}"
+  count           = var.certificate != null ? 1 : 0
+  content         = var.certificate.private_key_pem
+  filename        = "${path.root}/.debug/nginx/${local.filenames.certificate_key}"
+  file_permission = "0600"
 }

products/nginx/site-available/config.tf

@@ -72,6 +72,7 @@ resource "docker_config" "nginx_site_available" {
 
 # Debug copy of the configuration file
 resource "local_file" "nginx_site_available" {
-  filename = "${path.root}/.debug/nginx/${local.filenames.nginx}"
-  content  = local.config
+  filename        = "${path.root}/.debug/nginx/${local.filenames.nginx}"
+  content         = local.config
+  file_permission = "0600"
 }