feat: Kubeconfig file should not be world or group readable by default (terraform-aws-modules#1114)

ishustava · barryib · ArchiFleKs · commit 91f94abc4707 · 2021-06-01T14:18:58.000+02:00
Co-authored-by: Thierno IB. BARRY &lt;ibrahima.br@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -251,6 +251,7 @@ Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraf
 | <a name="input_kubeconfig_aws_authenticator_command"></a> [kubeconfig\_aws\_authenticator\_command](#input\_kubeconfig\_aws\_authenticator\_command) | Command to use to fetch AWS EKS credentials. | `string` | `"aws-iam-authenticator"` | no |
 | <a name="input_kubeconfig_aws_authenticator_command_args"></a> [kubeconfig\_aws\_authenticator\_command\_args](#input\_kubeconfig\_aws\_authenticator\_command\_args) | Default arguments passed to the authenticator command. Defaults to [token -i $cluster\_name]. | `list(string)` | `[]` | no |
 | <a name="input_kubeconfig_aws_authenticator_env_variables"></a> [kubeconfig\_aws\_authenticator\_env\_variables](#input\_kubeconfig\_aws\_authenticator\_env\_variables) | Environment variables that should be used when executing the authenticator. e.g. { AWS\_PROFILE = "eks"}. | `map(string)` | `{}` | no |
+| <a name="input_kubeconfig_file_permission"></a> [kubeconfig\_file\_permission](#input\_kubeconfig\_file\_permission) | File permission of the Kubectl config file containing cluster configuration saved to `config_output_path.` | `string` | `"0600"` | no |
 | <a name="input_kubeconfig_name"></a> [kubeconfig\_name](#input\_kubeconfig\_name) | Override the default name used for items kubeconfig. | `string` | `""` | no |
 | <a name="input_manage_aws_auth"></a> [manage\_aws\_auth](#input\_manage\_aws\_auth) | Whether to apply the aws-auth configmap file. | `bool` | `true` | no |
 | <a name="input_manage_cluster_iam_resources"></a> [manage\_cluster\_iam\_resources](#input\_manage\_cluster\_iam\_resources) | Whether to let the module manage cluster IAM resources. If set to false, cluster\_iam\_role\_name must be specified. | `bool` | `true` | no |
diff --git a/kubectl.tf b/kubectl.tf
@@ -2,6 +2,6 @@ resource "local_file" "kubeconfig" {
   count                = var.write_kubeconfig && var.create_eks ? 1 : 0
   content              = local.kubeconfig
   filename             = substr(var.config_output_path, -1, 1) == "/" ? "${var.config_output_path}kubeconfig_${var.cluster_name}" : var.config_output_path
-  file_permission      = "0644"
+  file_permission      = var.kubeconfig_file_permission
   directory_permission = "0755"
 }
diff --git a/variables.tf b/variables.tf
@@ -38,6 +38,12 @@ variable "config_output_path" {
   default     = "./"
 }
 
+variable "kubeconfig_file_permission" {
+  description = "File permission of the Kubectl config file containing cluster configuration saved to `config_output_path.`"
+  type        = string
+  default     = "0600"
+}
+
 variable "write_kubeconfig" {
   description = "Whether to write a Kubectl config file containing the cluster configuration. Saved to `config_output_path`."
   type        = bool

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,6 @@ resource "local_file" "kubeconfig" {`
`2`	`2`	`count = var.write_kubeconfig && var.create_eks ? 1 : 0`
`3`	`3`	`content = local.kubeconfig`
`4`	`4`	`filename = substr(var.config_output_path, -1, 1) == "/" ? "${var.config_output_path}kubeconfig_${var.cluster_name}" : var.config_output_path`
`5`		`- file_permission = "0644"`
	`5`	`+ file_permission = var.kubeconfig_file_permission`
`6`	`6`	`directory_permission = "0755"`
`7`	`7`	`}`