From da843a348ed51ceae352882e43e9bb035ab92fe2 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 18 Mar 2026 15:52:39 -0400 Subject: [PATCH] fix: add insecure=true to GitHub provider; install GHE CA cert in buildspec --- codebuild/buildspec.yml | 15 +++++++++++++++ providers.tf | 1 + 2 files changed, 16 insertions(+) diff --git a/codebuild/buildspec.yml b/codebuild/buildspec.yml index de65072..3f3c1a8 100644 --- a/codebuild/buildspec.yml +++ b/codebuild/buildspec.yml @@ -34,6 +34,21 @@ phases: - | curl -sLo /tmp/tf.zip "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip" - unzip -q /tmp/tf.zip -d /usr/local/bin && rm /tmp/tf.zip + - echo "Installing GHE CA certificate into system trust store..." + - | + # Extract full cert chain from the GHE endpoint and install so the + # Terraform GitHub provider (Go TLS) trusts the internal CA. + # Uses HTTPS_PROXY via curl; openssl parses the PEM from the output. + curl -vsk --proxy "${HTTPS_PROXY}" \ + https://github.e.it.census.gov 2>&1 \ + | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' \ + > /usr/local/share/ca-certificates/ghe-internal.crt + if [ -s /usr/local/share/ca-certificates/ghe-internal.crt ]; then + update-ca-certificates --fresh + echo "GHE CA cert installed." + else + echo "WARNING: could not extract GHE cert; TLS verification may fail for GitHub provider." + fi - terraform version - echo "Installing tf wrapper script from repo..." - cp codebuild/tf /usr/local/bin/tf diff --git a/providers.tf b/providers.tf index 023b890..eef4f2d 100644 --- a/providers.tf +++ b/providers.tf @@ -15,6 +15,7 @@ terraform { provider "github" { owner = var.repo_org base_url = var.base_url + insecure = true # GHE uses an internal CA not trusted by default # token is automatically read from GITHUB_TOKEN env var }