fix(codebuild): add GITHUB_BASE_URL env var; broaden IAM role resourc…

…e pattern to cover SCT-Engineering task roles

codebuild/main.tf

@@ -12,6 +12,9 @@ locals {
   job_env = [
     { name = "TF_WORKSPACE", value = var.tf_workspace, type = "PLAINTEXT" },
     { name = "TF_IN_AUTOMATION", value = "true", type = "PLAINTEXT" },
+    # Point the GitHub Terraform provider at the GHE instance instead of github.com.
+    # The provider reads GITHUB_BASE_URL automatically (equivalent to base_url in config).
+    { name = "GITHUB_BASE_URL", value = var.github_base_url, type = "PLAINTEXT" },
   ]
 
   # GitHub PAT injected from Secrets Manager.
@@ -247,6 +250,8 @@ data "aws_iam_policy_document" "ghe_runner_deploy" {
     resources = [
       "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/*github*",
       "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/*ghe*",
+      "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/*runner*",
+      "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/*task*",
     ]
   }
 

codebuild/variables.tf

@@ -31,6 +31,17 @@ variable "schedule_expression" {
 
 # ── GitHub ────────────────────────────────────────────────────────────────────
 
+variable "github_base_url" {
+  description = <<-EOT
+    Base URL for the GitHub API. For GitHub Enterprise, this must be the
+    API endpoint (e.g. https://github.example.com/api/v3/).
+    Injected as GITHUB_BASE_URL so the Terraform GitHub provider inside
+    the CodeBuild build uses the GHE instance, not github.com.
+  EOT
+  type        = string
+  default     = "https://github.e.it.census.gov/api/v3/"
+}
+
 variable "github_token_secret_arn" {
   description = <<-EOT
     ARN of the Secrets Manager secret that holds the GitHub PAT.