Comment 5 for bug 1541196

I took an alternative approach by having systemd run chmod after cloud-init starts, which avoid the need to otherwise touch cloud-init:

/etc/systemd/system/cloud-init-log-permissions.service

[Unit]
Description=Correct cloud-init's logfile permissions

# We want to start *AFTER* cloud-init has opened its log files:
After=cloud-init.service

# We want to restart any time cloud-init is restarted (requires RemainAfterExit below):
PartOf=cloud-init.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/chmod u=rw,g=r,o= /var/log/cloud-init.log /var/log/cloud-init-output.log

[Install]
WantedBy=multi-user.target