fix(codebuild): use openssl s_client for GHE cert extraction; add GIT…

…HUB_INSECURE=true env var
CSVD · Mar 18, 2026 · 0dd3f22 · 0dd3f22
1 parent da843a3
commit 0dd3f22
Showing 1 changed file with 26 additions and 10 deletions.
diff --git a/codebuild/buildspec.yml b/codebuild/buildspec.yml
@@ -23,6 +23,9 @@ env:
     TF_PLUGIN_CACHE_DIR: "/root/.terraform.d/plugin-cache"
     PROVIDER_CACHE_S3: "s3://inf-tfstate-229685449397/tf-provider-cache"
     PROVIDER_CACHE_S3_REGION: "us-gov-east-1"
+    # Tell the integrations/github TF provider to skip TLS cert verification
+    # (reads GITHUB_INSECURE env var; also set insecure=true in providers.tf)
+    GITHUB_INSECURE: "true"
 
 phases:
 
@@ -36,18 +39,31 @@ phases:
       - unzip -q /tmp/tf.zip -d /usr/local/bin && rm /tmp/tf.zip
       - echo "Installing GHE CA certificate into system trust store..."
       - |
-        # Extract full cert chain from the GHE endpoint and install so the
-        # Terraform GitHub provider (Go TLS) trusts the internal CA.
-        # Uses HTTPS_PROXY via curl; openssl parses the PEM from the output.
-        curl -vsk --proxy "${HTTPS_PROXY}" \
-          https://github.e.it.census.gov 2>&1 \
-          | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' \
-          > /usr/local/share/ca-certificates/ghe-internal.crt
-        if [ -s /usr/local/share/ca-certificates/ghe-internal.crt ]; then
+        # Extract full cert chain using openssl s_client -showcerts, which outputs
+        # proper PEM blocks (curl -v does NOT output PEM). Terraform/Go TLS uses
+        # the system trust store (/etc/ssl/certs/ca-certificates.crt).
+        GHE_HOST="github.e.it.census.gov"
+        CERT_FILE="/usr/local/share/ca-certificates/ghe-internal.crt"
+        # Strip scheme from proxy URL (openssl -proxy takes host:port only)
+        PROXY_ADDR=$(echo "${HTTPS_PROXY:-}" | sed 's|^https\?://||' | sed 's|/$||')
+        if [ -n "$PROXY_ADDR" ]; then
+          echo "Extracting GHE cert via proxy ${PROXY_ADDR}..."
+          openssl s_client -connect "${GHE_HOST}:443" -proxy "${PROXY_ADDR}" \
+            -showcerts < /dev/null 2>/dev/null \
+            | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' \
+            > "${CERT_FILE}"
+        else
+          echo "Extracting GHE cert directly (no proxy)..."
+          openssl s_client -connect "${GHE_HOST}:443" \
+            -showcerts < /dev/null 2>/dev/null \
+            | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' \
+            > "${CERT_FILE}"
+        fi
+        if [ -s "${CERT_FILE}" ]; then
           update-ca-certificates --fresh
-          echo "GHE CA cert installed."
+          echo "GHE CA cert installed ($(grep -c 'BEGIN CERTIFICATE' ${CERT_FILE}) certs)."
         else
-          echo "WARNING: could not extract GHE cert; TLS verification may fail for GitHub provider."
+          echo "WARNING: could not extract GHE cert; insecure=true provider setting is the fallback."
         fi
       - terraform version
       - echo "Installing tf wrapper script from repo..."