diff --git a/modules/deploy/create.sh.tpl b/modules/deploy/create.sh.tpl
index 61b5c79..713109a 100644
--- a/modules/deploy/create.sh.tpl
+++ b/modules/deploy/create.sh.tpl
@@ -1,8 +1,10 @@
 set -x
+DIR=$(pwd)
 cd ${deploy_path}
 pwd
 ls -lah
-. envrc
+whoami
+. ${deploy_path}/envrc
 TF_CLI_ARGS_init=""
 TF_CLI_ARGS_apply=""
 
@@ -54,5 +56,5 @@ if [ $EXITCODE -eq 0 ]; then
   echo "success...";
   terraform output -json -state="${deploy_path}/tfstate" > ${deploy_path}/outputs.json
 fi
-
+cd $DIR
 exit $EXITCODE
diff --git a/modules/deploy/destroy.sh.tpl b/modules/deploy/destroy.sh.tpl
index 17b3747..e7296cf 100644
--- a/modules/deploy/destroy.sh.tpl
+++ b/modules/deploy/destroy.sh.tpl
@@ -1,8 +1,10 @@
 set -x
+DIR=$(pwd)
 cd ${deploy_path}
 pwd
 ls -lah
-. envrc
+whoami
+. ${deploy_path}/envrc
 TF_CLI_ARGS_init=""
 TF_CLI_ARGS_apply=""
 if [ -z "${skip_destroy}" ]; then
@@ -11,3 +13,5 @@ if [ -z "${skip_destroy}" ]; then
 else
   echo "Not destroying deployed module, it will no longer be managed here."
 fi
+cd $DIR
+exit 0
diff --git a/modules/deploy/main.tf b/modules/deploy/main.tf
index 93974e8..85c3c91 100644
--- a/modules/deploy/main.tf
+++ b/modules/deploy/main.tf
@@ -31,7 +31,6 @@ resource "file_local_directory" "deploy_path" {
   path        = local.deploy_path
   permissions = "0755"
 }
-
 resource "file_local_directory" "tf_data_dir" {
   count       = (local.tf_data_dir != local.deploy_path ? 1 : 0)
   path        = local.tf_data_dir
@@ -75,9 +74,10 @@ resource "file_local" "write_tmp_inputs" {
     file_local_directory.deploy_path,
     file_local_directory.tf_data_dir,
   ]
-  directory = local.tf_data_dir
-  name      = "inputs.tmp"
-  contents  = local.inputs
+  directory   = local.tf_data_dir
+  name        = "inputs.tmp"
+  contents    = local.inputs
+  permissions = "0400"
 }
 resource "file_local_snapshot" "persist_inputs" {
   depends_on = [
@@ -107,9 +107,10 @@ resource "file_local" "write_tmp_env" {
     file_local_directory.deploy_path,
     file_local_directory.tf_data_dir,
   ]
-  directory = local.tf_data_dir
-  name      = "env.tmp"
-  contents  = local.export_contents
+  directory   = local.tf_data_dir
+  name        = "env.tmp"
+  contents    = local.export_contents
+  permissions = "0400"
 }
 resource "file_local_snapshot" "persist_envrc" {
   depends_on = [
@@ -128,9 +129,10 @@ resource "file_local" "instantiate_envrc_snapshot" {
     file_local.write_tmp_env,
     file_local_snapshot.persist_envrc,
   ]
-  directory = local.deploy_path
-  name      = "envrc"
-  contents  = base64decode(file_local_snapshot.persist_envrc.snapshot)
+  directory   = local.deploy_path
+  name        = "envrc"
+  contents    = base64decode(file_local_snapshot.persist_envrc.snapshot)
+  permissions = "0644"
 }
 
 ## Deploy ##