Make Fluentd config folders readable

Currently, config folders lack the execute bit so Fluentd
cannot read the config and just does nothing when it starts up. This
change explicitly sets the execute bit on folders which need it,
rather than doing it in a more generic way which is more risky from
a security perspective.

Change-Id: Ia840f4b67043df4eaa654f47673dcdc973f13d9c
Closes-Bug: #1867754

ansible/roles/common/templates/fluentd.json.j2

@@ -22,6 +22,14 @@
     {% set fluentd_cmd = '/usr/sbin/td-agent' %}
 {% endif %}
 
+{%- macro config_directory_permissions(dir) -%}
+        {
+            "path": "{{ fluentd_dir }}/{{ dir }}",
+            "owner": "{{ fluentd_user }}:{{ fluentd_user }}",
+            "perm": "0700"
+        }
+{%- endmacro -%}
+
 {
     "command": "{{ fluentd_cmd }}",
     "config_files": [
@@ -52,7 +60,12 @@
             "path": "/var/lib/fluentd/data",
             "owner": "{{ fluentd_user }}:{{ fluentd_user }}",
             "recurse": true
-        }
+        },
+        {# Allow Fluentd to read configuration from folders #}
+        {{ config_directory_permissions("input") }},
+        {{ config_directory_permissions("filter") }},
+        {{ config_directory_permissions("format") }},
+        {{ config_directory_permissions("output") }}
     ]
 
 }