Ability to set explicit permissions on files included in archives

[srjturner]

Terraform Version

v0.12.19

Affected Resource(s)

archive_file

Terraform Configuration Files

data "http" "datadog" {
  url = "https://raw.githubusercontent.com/DataDog/datadog-serverless-functions/master/aws/logs_monitoring/lambda_function.py"
}

data "archive_file" "datadog" {
  type        = "zip"
  output_path = "${path.module}/files/lambda_function.py.zip"
  source {
    content  = data.http.datadog.body
    filename = "lambda_function.py"
  }
}

resource "aws_lambda_function" "datadog" {
  function_name                   = "datadog-logs"
  filename                        =  data.archive_file.datadog.output_path
  source_code_hash                =  filebase64sha256(data.archive_file.datadog.output_path)
  ...
}

Actual Behavior

The file is written to disk using the umask of the host. The file is included in the zip with those same permissions. If the umask is more restrictive than the 755 required by Lambda, the zip is unreadable by Lambda and Lambda fails with a "permission denied".

Expected Behavior

The above is "expected" but is unpredictable - what works on a dev laptop doesn't match what happens on a CI/CD server because it is vulnerable to the host's umask. Instead, the archive_file resource should support a file_permission attribute on sources just like the local_file resource does:

data "archive_file" "datadog" {
  type        = "zip"
  output_path = "${path.module}/files/lambda_function.py.zip"

  source {
    content  = "${data.http.datadog.body}"
    filename = "lambda_function.py"
    file_permission = "0755"
  }

[RichardBradley]

This feature would give a workaround for #58

[virgofx]

The workaround in #90 has been released in terraform-provider-archive v2.2.0 which adds output_file_mode and should fix your issue.

[emoshaya]

output_file_mode hasn't resolve this issue for the dynamic source block..

I have the following code. When I inspect the archive.zip files all the permissions are set to "0644" instead of "0755"

data "archive_file" "this" {
  type = "zip"
  source_file = null
  output_path = "${path.module}/archive.zip"
  source_content_filename (with source_content), source_file, or source_dir must be specified. 
  dynamic "source" {
    for_each = var.files
    content {
      content  = source.value.content
      filename = source.value.filename
    }
  }
  source_dir = null
  source_content = null
  source_content_filename = null
  output_file_mode = "0755"
  excludes = null
  exclude_symlink_directories = false
}

I think the solution proposed in this issue makes more sense as you might want different permissions for each file

data "archive_file" "datadog" {
  type        = "zip"
  output_path = "${path.module}/files/lambda_function.py.zip"

  source {
    content  = "${data.http.datadog.body}"
    filename = "lambda_function.py"
    file_permission = "0755"
  }