From 63497598297681d4c01d5b8faf7ff5c0ce0d11b8 Mon Sep 17 00:00:00 2001
From: Bo-Chun Louis Chen <louistw@uab.edu>
Date: Tue, 10 Dec 2024 15:42:13 -0600
Subject: [PATCH] feat: ensure file permission of cert and key file

---
 ansible/roles/ssl_cert/tasks/main.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/ansible/roles/ssl_cert/tasks/main.yaml b/ansible/roles/ssl_cert/tasks/main.yaml
index 7458957..aa562aa 100644
--- a/ansible/roles/ssl_cert/tasks/main.yaml
+++ b/ansible/roles/ssl_cert/tasks/main.yaml
@@ -15,6 +15,17 @@
     - "{{ ssl_cert_file }}"
     - "{{ ssl_cert_chain_file }}"
 
+- name: Change cert files permissions
+  ansible.builtin.file:
+    path: "{{ ssl_cert_file_location }}/{{ item }}"
+    owner: root
+    group: root
+    mode: '0600'
+  when: ssl_cert_s3_bucket | length > 0 and item | length > 0
+  loop:
+    - "{{ ssl_cert_file }}"
+    - "{{ ssl_cert_chain_file }}"
+
 - name: Download SSL key from S3
   aws_s3:
     mode: get
@@ -28,6 +39,14 @@
     ansible_python_interpreter: /usr/bin/python3
   when: ssl_cert_s3_bucket | length > 0 and ssl_cert_key | length > 0
 
+- name: Change key file permissions
+  ansible.builtin.file:
+    path: "{{ ssl_cert_key_location }}/{{ ssl_cert_key }}"
+    owner: root
+    group: root
+    mode: '0400'
+  when: ssl_cert_s3_bucket | length > 0 and ssl_cert_key | length > 0
+
 - name: Update SSL in Apache config
   ansible.builtin.replace:
     path: "{{ ssl_apache_config }}"
-- 
GitLab