Default mode on config.json and service files is too permissive

[lchi]

I noticed that when provisioning configs (config.json or services via consul::service) the default file permissions are used. Since these files will likely have tokens in them, I was thinking the permissions should be more restrictive.

Thoughts on using something like mode => 0600? I'd be happy to open a PR.

[solarkennedy]

600 sounds too restrictive, even for me, and would be inflexible to other who are integrating the tool with other tools. We are setting the group, so I would accept a PR for an explicit 660, and if people need to read it, they can add their users to the consul group of their choosing.

It is using the default mode for whatever puppet has for your system. Is your default mode 600?
https://docs.puppetlabs.com/puppet/latest/reference/lang_defaults.html

File {
  mode => '0600',
}

Or use an alternative method of overriding permissions of a file in puppet without modifying the code?
https://docs.puppetlabs.com/puppet/latest/reference/lang_classes.html#overriding-resource-attributes

[aj-jester]

I think we can have both by creating a class param for mode and defaulting it to 0660.

Also, we need to do this for any other configuration that has tokens; service.pp, check.pp and watch.pp.