Make cfn-hup-update-action.sh executable Only by root

Himani Anil Deshpande · Himani Anil Deshpande · commit db54f1bef7b8 · 2025-02-10T11:12:45.000-05:00
diff --git a/cookbooks/aws-parallelcluster-environment/resources/cfn_hup_configuration.rb b/cookbooks/aws-parallelcluster-environment/resources/cfn_hup_configuration.rb
@@ -87,7 +87,7 @@
       source "cfn_hup_configuration/#{node['cluster']['node_type']}/cfn-hup-update-action.sh.erb"
       owner 'root'
       group 'root'
-      mode '0744' # TODO: Change permission
+      mode '0700'
       variables(
         monitor_shared_dir: monitor_shared_dir,
         launch_template_resource_id: node['cluster']['launch_template_id']
diff --git a/cookbooks/aws-parallelcluster-environment/spec/unit/resources/cfn_hup_configuration_spec.rb b/cookbooks/aws-parallelcluster-environment/spec/unit/resources/cfn_hup_configuration_spec.rb
@@ -90,7 +90,7 @@ def self.configure(chef_run)
                                .with(source: "cfn_hup_configuration/#{node_type}/cfn-hup-update-action.sh.erb")
                                .with(user: "root")
                                .with(group: "root")
-                               .with(mode: "0744")
+                               .with(mode: "0700")
                                .with(variables: {
                                  monitor_shared_dir: "#{MONITOR_SHARED_DIR}/dna",
                                  launch_template_resource_id: LAUNCH_TEMPLATE_ID,
diff --git a/cookbooks/aws-parallelcluster-environment/test/controls/cfn_hup_configuration_spec.rb b/cookbooks/aws-parallelcluster-environment/test/controls/cfn_hup_configuration_spec.rb
@@ -53,7 +53,7 @@
 
   describe file("#{node['cluster']['scripts_dir']}/cfn-hup-update-action.sh") do
     it { should exist }
-    its('mode') { should cmp '0744' }
+    its('mode') { should cmp '0700' }
     its('owner') { should eq 'root' }
     its('group') { should eq 'root' }
   end
