fix(codebuild): route S3 through proxy; pass TF_WORKSPACE on trigger

- Remove .amazonaws.com from NO_PROXY so S3 traffic goes through the
  proxy instead of timing out on a direct connection from the VPC subnet
- Add --environment-variables-override on make trigger so TF_WORKSPACE
  always matches the local workspace (auto-inherited via tf workspace show)

codebuild/Makefile

@@ -243,10 +243,11 @@ show-outputs:
 trigger: check-env
 	$(eval PROJECT := $(shell TF_DATA_DIR=$(TF_DATA_DIR) $(TF) output -raw codebuild_project_name 2>/dev/null))
 	@[ -n "$(PROJECT)" ] || (echo "$(RED)ERROR: Could not read codebuild_project_name from state. Run make apply first.$(RESET)"; exit 1)
-	@echo "$(BOLD)Starting build: $(PROJECT)$(RESET)"
+	@echo "$(BOLD)Starting build: $(PROJECT) (workspace: $(TF_WORKSPACE))$(RESET)"
 	$(eval BUILD_ID := $(shell aws codebuild start-build \
 	    --project-name $(PROJECT) \
 	    --region $(AWS_REGION) \
+	    --environment-variables-override name=TF_WORKSPACE,value=$(TF_WORKSPACE),type=PLAINTEXT \
 	    --query 'build.id' --output text))
 	@echo "  Build ID : $(BUILD_ID)"
 	@echo "  Console  : https://console.amazonaws-us-gov.com/codesuite/codebuild/projects/$(PROJECT)/build/$(BUILD_ID)/log"

codebuild/main.tf

@@ -5,7 +5,7 @@ locals {
   proxy_env = [
     { name = "HTTP_PROXY", value = "http://proxy.tco.census.gov:3128", type = "PLAINTEXT" },
     { name = "HTTPS_PROXY", value = "http://proxy.tco.census.gov:3128", type = "PLAINTEXT" },
-    { name = "NO_PROXY", value = "169.254.170.2,.census.gov,169.254.169.254,10.0.0.0/8,172.16.0.0/12,.amazonaws.com,169.254.169.254", type = "PLAINTEXT" },
+    { name = "NO_PROXY", value = "169.254.170.2,.census.gov,169.254.169.254,10.0.0.0/8,172.16.0.0/12,169.254.169.254", type = "PLAINTEXT" },
   ]
 
   # Non-secret environment variables: workspace selection and automation flag