feat: ensure file permission of cert and key file

63497598 · Bo-Chun Chen · dcd97881 · 63497598
Commit 63497598 authored 5 months ago by Bo-Chun Chen
--- a/ansible/roles/ssl_cert/tasks/main.yaml
+++ b/ansible/roles/ssl_cert/tasks/main.yaml
@@ -15,6 +15,17 @@
    - "{{ ssl_cert_file }}"
    - "{{ ssl_cert_chain_file }}"

+- name: Change cert files permissions
+  ansible.builtin.file:
+    path: "{{ ssl_cert_file_location }}/{{ item }}"
+    owner: root
+    group: root
+    mode: '0600'
+  when: ssl_cert_s3_bucket | length > 0 and item | length > 0
+  loop:
+    - "{{ ssl_cert_file }}"
+    - "{{ ssl_cert_chain_file }}"
+
 - name: Download SSL key from S3
  aws_s3:
    mode: get
@@ -28,6 +39,14 @@
    ansible_python_interpreter: /usr/bin/python3
  when: ssl_cert_s3_bucket | length > 0 and ssl_cert_key | length > 0

+- name: Change key file permissions
+  ansible.builtin.file:
+    path: "{{ ssl_cert_key_location }}/{{ ssl_cert_key }}"
+    owner: root
+    group: root
+    mode: '0400'
+  when: ssl_cert_s3_bucket | length > 0 and ssl_cert_key | length > 0
+
 - name: Update SSL in Apache config
  ansible.builtin.replace:
    path: "{{ ssl_apache_config }}"