I'm deploying a Node.js application through Codeship using the CodeDeploy AWS deployment system.

I am making use of the appspec.yml file to set the owner and permissions of one of the deployed directory.

I want to allow read/write for any files that will be created in a specified folder of the deployment. Files will be created by the web application once it starts running.

Currently my appspec.yml contains the following:

version: 0.0
os: linux
files:
  - source: /
    destination: /var/www/APPLICATION_NAME
permissions:
  - object: /var/www/APPLICATION_NAME/tmpfiles
    mode: 644
    owner: ec2-user
    type:
      - directory

If you have Access Control Lists (ACLs) enabled on your filesystem, you can use default ACLs on your directory to allow read/write permissions for owner/group/others on newly created files in that directory.

AWS CodeDeploy lets you specify ACLs for your files in appspec.yml. It can take any valid ACL entries that can be passed to setfacl [1]

For e.g, in your case to set read, write and execute permission for everyone on all newly created files you can do something like

version: 0.0 os: linux files:
  - source: /
    destination: /var/www/APPLICATION_NAME permissions:
  - object: /var/www/APPLICATION_NAME/tmpfiles
    mode: 644
    acls:
      - "d:u::rwx"
      - "d:g::rwx"
      - "d:o::rwx"
    owner: ec2-user
    type:
      - directory

The permissions can be restricted by the application that creates the new files. You can also set default ACL mask to set mask bits to force certain permissions. For e.g, "d:m::rw" would mask the execute permission. You can explore more about ACL and masking here http://www.vanemery.com/Linux/ACL/POSIX_ACL_on_Linux.html

[1] http://linux.die.net/man/1/setfacl

I found appspec.yml file really hard to deal with.

I have very big and complex folder structure and it's headache to try to set permissions with appspec.yml file. Because of this reason, I make use of "hooks" to call small bash script to set my permissions

Here is an example appspec.yml file that I have:

version: 0.0
os: linux
files:
  - source: /
    destination: /var/www
hooks:
  AfterInstall:
    - location: scripts/set-permissions.sh

Here is an example of set-permissions.sh file:

#!/bin/bash
# Set ownership for all folders
chown -R www-data:www-data /var/www/
chown -R root:root /var/www/protected

# set files to 644 [except *.pl *.cgi *.sh]
find /var/www/ -type f -not -name ".pl" -not -name ".cgi" -not -name "*.sh" -print0 | xargs -0 chmod 0644

# set folders to 755
find /var/www/ -type d -print0 | xargs -0 chmod 0755

If you have Access Control Lists (ACLs) enabled on your filesystem, you can use default ACLs on your directory to allow read/write permissions for owner/group/others on newly created files in that directory.

AWS CodeDeploy lets you specify ACLs for your files in appspec.yml. It can take any valid ACL entries that can be passed to setfacl [1]

For e.g, in your case to set read, write and execute permission for everyone on all newly created files you can do something like

version: 0.0 os: linux files:
  - source: /
    destination: /var/www/APPLICATION_NAME permissions:
  - object: /var/www/APPLICATION_NAME/tmpfiles
    mode: 644
    acls:
      - "d:u::rwx"
      - "d:g::rwx"
      - "d:o::rwx"
    owner: ec2-user
    type:
      - directory

The permissions can be restricted by the application that creates the new files. You can also set default ACL mask to set mask bits to force certain permissions. For e.g, "d:m::rw" would mask the execute permission. You can explore more about ACL and masking here http://www.vanemery.com/Linux/ACL/POSIX_ACL_on_Linux.html

[1] http://linux.die.net/man/1/setfacl