From 623b9ea5c391995fabd45d234eba35ab3d821b56 Mon Sep 17 00:00:00 2001
From: Iryna Shustava <iryna@hashicorp.com>
Date: Thu, 28 Jan 2021 16:23:01 -0800
Subject: [PATCH] improvement: Make kubeconfig file permission cofigurable

---
 README.md    | 1 +
 kubectl.tf   | 2 +-
 variables.tf | 6 ++++++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a513473299..43f108daac 100644
--- a/README.md
+++ b/README.md
@@ -186,6 +186,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | cluster\_security\_group\_id | If provided, the EKS cluster will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the workers | `string` | `""` | no |
 | cluster\_service\_ipv4\_cidr | service ipv4 cidr for the kubernetes cluster | `string` | `null` | no |
 | cluster\_version | Kubernetes version to use for the EKS cluster. | `string` | n/a | yes |
+| config\_output\_file\_permission | File permission of the Kubectl config file containing cluster configuration saved to `config_output_path.` | `string` | `"0600"` | no |
 | config\_output\_path | Where to save the Kubectl config file (if `write_kubeconfig = true`). Assumed to be a directory if the value ends with a forward slash `/`. | `string` | `"./"` | no |
 | create\_eks | Controls if EKS resources should be created (it affects almost all resources) | `bool` | `true` | no |
 | create\_fargate\_pod\_execution\_role | Controls if the EKS Fargate pod execution IAM role should be created. | `bool` | `true` | no |
diff --git a/kubectl.tf b/kubectl.tf
index 2fcfe1c4d8..f7e129ca3f 100644
--- a/kubectl.tf
+++ b/kubectl.tf
@@ -2,6 +2,6 @@ resource "local_file" "kubeconfig" {
   count                = var.write_kubeconfig && var.create_eks ? 1 : 0
   content              = local.kubeconfig
   filename             = substr(var.config_output_path, -1, 1) == "/" ? "${var.config_output_path}kubeconfig_${var.cluster_name}" : var.config_output_path
-  file_permission      = "0600"
+  file_permission      = var.config_output_file_permission
   directory_permission = "0755"
 }
diff --git a/variables.tf b/variables.tf
index e49c57ca49..70112ecc68 100644
--- a/variables.tf
+++ b/variables.tf
@@ -38,6 +38,12 @@ variable "config_output_path" {
   default     = "./"
 }
 
+variable "config_output_file_permission" {
+  description = "File permission of the Kubectl config file containing cluster configuration saved to `config_output_path.`"
+  type        = string
+  default     = "0600"
+}
+
 variable "write_kubeconfig" {
   description = "Whether to write a Kubectl config file containing the cluster configuration. Saved to `config_output_path`."
   type        = bool