From aaf9b61ea5acac4176a4167ffc35593bfac0f0b0 Mon Sep 17 00:00:00 2001
From: Your Name <user@example.com>
Date: Wed, 18 Mar 2026 14:23:22 -0400
Subject: [PATCH] fix(codebuild): add GITHUB_BASE_URL env var; broaden IAM role
 resource pattern to cover SCT-Engineering task roles

---
 codebuild/main.tf      |  5 +++++
 codebuild/variables.tf | 11 +++++++++++
 2 files changed, 16 insertions(+)

diff --git a/codebuild/main.tf b/codebuild/main.tf
index bc37e87..359c254 100644
--- a/codebuild/main.tf
+++ b/codebuild/main.tf
@@ -12,6 +12,9 @@ locals {
   job_env = [
     { name = "TF_WORKSPACE", value = var.tf_workspace, type = "PLAINTEXT" },
     { name = "TF_IN_AUTOMATION", value = "true", type = "PLAINTEXT" },
+    # Point the GitHub Terraform provider at the GHE instance instead of github.com.
+    # The provider reads GITHUB_BASE_URL automatically (equivalent to base_url in config).
+    { name = "GITHUB_BASE_URL", value = var.github_base_url, type = "PLAINTEXT" },
   ]
 
   # GitHub PAT injected from Secrets Manager.
@@ -247,6 +250,8 @@ data "aws_iam_policy_document" "ghe_runner_deploy" {
     resources = [
       "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/*github*",
       "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/*ghe*",
+      "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/*runner*",
+      "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/*task*",
     ]
   }
 
diff --git a/codebuild/variables.tf b/codebuild/variables.tf
index b8696c3..962e03f 100644
--- a/codebuild/variables.tf
+++ b/codebuild/variables.tf
@@ -31,6 +31,17 @@ variable "schedule_expression" {
 
 # ── GitHub ────────────────────────────────────────────────────────────────────
 
+variable "github_base_url" {
+  description = <<-EOT
+    Base URL for the GitHub API. For GitHub Enterprise, this must be the
+    API endpoint (e.g. https://github.example.com/api/v3/).
+    Injected as GITHUB_BASE_URL so the Terraform GitHub provider inside
+    the CodeBuild build uses the GHE instance, not github.com.
+  EOT
+  type        = string
+  default     = "https://github.e.it.census.gov/api/v3/"
+}
+
 variable "github_token_secret_arn" {
   description = <<-EOT
     ARN of the Secrets Manager secret that holds the GitHub PAT.