diff --git a/deploy/.terraform_commits b/deploy/.terraform_commits index 984a63b..feb8b91 100644 --- a/deploy/.terraform_commits +++ b/deploy/.terraform_commits @@ -94,5 +94,71 @@ "commit_message": "fix: VERIFY_SSL=false; public repo visibility; add ec2:DescribeVpcs to SC launch role\n\n- VERIFY_SSL was incorrectly set to 'true' (Census CA cert not in certifi)\n- repo_visibility changed from 'internal' to 'public' per ECA requirements\n- Added EC2DescribeVpcs permission to SC launch role IAM policy", "author": "Your Name", "timestamp": "2026-04-06T12:18:21.814330" + }, + { + "commit_hash": "ec54b54a1c66f0ed6fa814ceda538f18e8453284", + "commit_message": "feat: Lambda delegates EKS repos to CodeBuild + terraform-eks-deployment\n\n- app.py: add start_codebuild_build() and poll_codebuild_build() helpers\n- app.py: EKS deployment path (is_eks_deployment=True) now starts CodeBuild\n project 'eks-terragrunt-repo-creator', polls until SUCCEEDED/FAILED,\n and sends cfn-response accordingly; non-EKS path unchanged\n- deploy/main.tf: add aws_codebuild_project.eks_repo_creator resource\n (NO_SOURCE, uses buildspec.yml from terraform-eks-deployment)\n CODEBUILD_PROJECT_NAME injected into Lambda environment\n- deploy/variables.tf: codebuild_project_name, codebuild_role_arn, codebuild_vpc_id\n- deploy/terraform.tfvars: set CodeBuild project name, role ARN, VPC ID", + "author": "Your Name", + "timestamp": "2026-04-06T13:55:14.843964" + }, + { + "commit_hash": "52ebef0541aa8bac0dc9fab41e4e4be4a0ebbbbe", + "commit_message": "chore: tf apply \u2014 add eks-terragrunt-repo-creator CodeBuild project + Lambda CODEBUILD_PROJECT_NAME env var", + "author": "Your Name", + "timestamp": "2026-04-06T14:07:45.300705" + }, + { + "commit_hash": "52ebef0541aa8bac0dc9fab41e4e4be4a0ebbbbe", + "commit_message": "chore: tf apply \u2014 add eks-terragrunt-repo-creator CodeBuild project + Lambda CODEBUILD_PROJECT_NAME env var", + "author": "Your Name", + "timestamp": "2026-04-06T14:08:05.836742" + }, + { + "commit_hash": "8310ee1b5d65d5b112d891a7eb987ac0856ba9f3", + "commit_message": "fix: increase Lambda timeout to 900s to cover CodeBuild poll window\n\nLambda was set to 300s but poll_codebuild_build loops for up to 12 min (720s).\nLambda would be killed by AWS before it could report back to CloudFormation.\n900s gives a ~180s buffer beyond the poll window.", + "author": "Your Name", + "timestamp": "2026-04-06T14:32:04.632013" + }, + { + "commit_hash": "8310ee1b5d65d5b112d891a7eb987ac0856ba9f3", + "commit_message": "fix: increase Lambda timeout to 900s to cover CodeBuild poll window\n\nLambda was set to 300s but poll_codebuild_build loops for up to 12 min (720s).\nLambda would be killed by AWS before it could report back to CloudFormation.\n900s gives a ~180s buffer beyond the poll window.", + "author": "Your Name", + "timestamp": "2026-04-07T12:07:10.663787" + }, + { + "commit_hash": "eb184634fcc11c9d9146d06e401b7fcd04cde322", + "commit_message": "fix: remove spurious '- ' prefix from additional_post_build_commands\n\nThe packer-pipeline internal buildspec template already wraps the value\nin '- {{ additional_post_build_commands }}', so prefixing the value with\n'- ' caused YAML_FILE_ERROR (nested list) in CodeBuild build #8.", + "author": "Your Name", + "timestamp": "2026-04-07T12:36:02.814421" + }, + { + "commit_hash": "eb184634fcc11c9d9146d06e401b7fcd04cde322", + "commit_message": "fix: remove spurious '- ' prefix from additional_post_build_commands\n\nThe packer-pipeline internal buildspec template already wraps the value\nin '- {{ additional_post_build_commands }}', so prefixing the value with\n'- ' caused YAML_FILE_ERROR (nested list) in CodeBuild build #8.", + "author": "Your Name", + "timestamp": "2026-04-07T12:39:29.803299" + }, + { + "commit_hash": "eb184634fcc11c9d9146d06e401b7fcd04cde322", + "commit_message": "fix: remove spurious '- ' prefix from additional_post_build_commands\n\nThe packer-pipeline internal buildspec template already wraps the value\nin '- {{ additional_post_build_commands }}', so prefixing the value with\n'- ' caused YAML_FILE_ERROR (nested list) in CodeBuild build #8.", + "author": "Your Name", + "timestamp": "2026-04-07T12:39:47.151568" + }, + { + "commit_hash": "eb184634fcc11c9d9146d06e401b7fcd04cde322", + "commit_message": "fix: remove spurious '- ' prefix from additional_post_build_commands\n\nThe packer-pipeline internal buildspec template already wraps the value\nin '- {{ additional_post_build_commands }}', so prefixing the value with\n'- ' caused YAML_FILE_ERROR (nested list) in CodeBuild build #8.", + "author": "Your Name", + "timestamp": "2026-04-07T12:56:16.684733" + }, + { + "commit_hash": "5d3ff19015b916206a52dc8d591cea529b9d62ce", + "commit_message": "fix: use PAT (ghe-runner/github-token) for Terraform GitHub provider in CodeBuild\n\nThe standard github_token (/eks-cluster-deployment/github_token) is a GitHub\nApp installation token (ghs_ prefix) which cannot access /api/v3/user. This\nendpoint is always called by the CSVD terraform-github-repo module's\ndata.github_user.current resource.\n\nChanges:\n- app.py: check TF_GITHUB_TOKEN_SECRET_NAME env var first for CodeBuild token;\n falls back to GITHUB_TOKEN_SECRET_NAME if not set\n- deploy/main.tf: add TF_GITHUB_TOKEN_SECRET_NAME=ghe-runner/github-token env var\n- deploy/main.tf: add IAM policy granting Lambda access to ghe-runner/github-token", + "author": "Your Name", + "timestamp": "2026-04-07T13:10:02.295504" + }, + { + "commit_hash": "5d3ff19015b916206a52dc8d591cea529b9d62ce", + "commit_message": "fix: use PAT (ghe-runner/github-token) for Terraform GitHub provider in CodeBuild\n\nThe standard github_token (/eks-cluster-deployment/github_token) is a GitHub\nApp installation token (ghs_ prefix) which cannot access /api/v3/user. This\nendpoint is always called by the CSVD terraform-github-repo module's\ndata.github_user.current resource.\n\nChanges:\n- app.py: check TF_GITHUB_TOKEN_SECRET_NAME env var first for CodeBuild token;\n falls back to GITHUB_TOKEN_SECRET_NAME if not set\n- deploy/main.tf: add TF_GITHUB_TOKEN_SECRET_NAME=ghe-runner/github-token env var\n- deploy/main.tf: add IAM policy granting Lambda access to ghe-runner/github-token", + "author": "Your Name", + "timestamp": "2026-04-07T13:10:20.067727" } ] \ No newline at end of file diff --git a/deploy/terraform.tfstate b/deploy/terraform.tfstate index 830ccc4..8c4f88c 100644 --- a/deploy/terraform.tfstate +++ b/deploy/terraform.tfstate @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.9.1", - "serial": 195, + "serial": 210, "lineage": "637f189b-ce2c-766c-35d1-8b43eb7ae216", "outputs": { "api_endpoint": { @@ -177,7 +177,7 @@ { "auth": [], "build_status_config": [], - "buildspec": "version: 0.2\n# buildspec.yml — terraform-eks-deployment / eks-terragrunt-repo-creator\n#\n# This buildspec is used by the CodeBuild project that is triggered by the\n# Lambda function (eks-terragrunt-repo-gen-template-automation) to create an\n# EKS cluster GitHub repository.\n#\n# Required environment variables (injected by the Lambda as overrides):\n# TF_VAR_name — cluster / repo name\n# TF_VAR_environment — environment (dev / nonprod / prod)\n# TF_VAR_region — AWS region (e.g. us-gov-west-1)\n# TF_VAR_cluster_config — JSON object with account_name, aws_account_id, etc.\n# TF_VAR_finops — JSON object with finops project_name / project_number\n# GITHUB_TOKEN — GitHub PAT (passed from Lambda's Secrets Manager read)\n# GITHUB_OWNER — GitHub org (default: SCT-Engineering)\n# GITHUB_BASE_URL — GHE base URL (e.g. https://github.e.it.census.gov)\n\nenv:\n variables:\n TF_VERSION: \"1.9.0\"\n ASSETS_BUCKET: \"csvd-packer-pipeline-assets\"\n REPO_HOST: \"github.e.it.census.gov\"\n REPO_ORG: \"CSVD\"\n REPO_NAME: \"terraform-eks-deployment\"\n # Disable TLS verification for Census GHE (Census CA cert not trusted by default)\n GIT_SSL_NO_VERIFY: \"true\"\n TF_CLI_ARGS: \"-no-color\"\n\nphases:\n install:\n commands:\n # ── Install Terraform ─────────────────────────────────────────────────\n - |\n if ! command -v terraform \u0026\u003e/dev/null; then\n TF_ZIP=\"terraform_${TF_VERSION}_linux_amd64.zip\"\n echo \"Installing Terraform ${TF_VERSION}...\"\n aws s3 cp \"s3://${ASSETS_BUCKET}/terraform/${TF_ZIP}\" /tmp/${TF_ZIP} 2\u003e/dev/null \\\n || curl -fsSL \"https://releases.hashicorp.com/terraform/${TF_VERSION}/${TF_ZIP}\" -o /tmp/${TF_ZIP}\n unzip -oq /tmp/${TF_ZIP} -d /usr/local/bin/\n chmod +x /usr/local/bin/terraform\n rm /tmp/${TF_ZIP}\n fi\n - terraform version\n\n # ── Clone terraform-eks-deployment ───────────────────────────────────\n - |\n git config --global credential.helper \\\n \"!f() { echo username=x-access-token; echo password=${GITHUB_TOKEN}; }; f\"\n git clone --depth 1 \\\n \"https://${REPO_HOST}/${REPO_ORG}/${REPO_NAME}.git\" \\\n /tmp/eks-deploy\n - echo \"Cloned ${REPO_ORG}/${REPO_NAME} @ $(git -C /tmp/eks-deploy rev-parse --short HEAD)\"\n\n build:\n commands:\n - cd /tmp/eks-deploy\n - echo \"=== terraform init ===\"\n - terraform init -no-color\n - echo \"=== terraform apply ===\"\n - terraform apply -auto-approve -no-color\n\n post_build:\n commands:\n - |\n if [ \"${CODEBUILD_BUILD_SUCCEEDING}\" = \"0\" ]; then\n echo \"Build FAILED — check logs above\"\n else\n echo \"Build SUCCEEDED — repository created\"\n fi\n", + "buildspec": "version: 0.2\n# buildspec.yml — terraform-eks-deployment / eks-terragrunt-repo-creator\n#\n# This buildspec is used by the CodeBuild project that is triggered by the\n# Lambda function (eks-terragrunt-repo-gen-template-automation) to create an\n# EKS cluster GitHub repository.\n#\n# Required environment variables (injected by the Lambda as overrides):\n# TF_VAR_name — cluster / repo name\n# TF_VAR_environment — environment (dev / nonprod / prod)\n# TF_VAR_region — AWS region (e.g. us-gov-west-1)\n# TF_VAR_cluster_config — JSON object with account_name, aws_account_id, etc.\n# TF_VAR_finops — JSON object with finops project_name / project_number\n# GITHUB_TOKEN — GitHub PAT (passed from Lambda's Secrets Manager read)\n# GITHUB_OWNER — GitHub org (default: SCT-Engineering)\n# GITHUB_BASE_URL — GHE base URL (e.g. https://github.e.it.census.gov)\n\nenv:\n variables:\n TF_VERSION: \"1.9.1\"\n ASSETS_BUCKET: \"csvd-packer-pipeline-assets\"\n REPO_HOST: \"github.e.it.census.gov\"\n REPO_ORG: \"SCT-Engineering\"\n REPO_NAME: \"terraform-eks-deployment\"\n REPO_BRANCH: \"fix/eca-copilot-instructions-and-callnotes\" # update to main once merged\n # Disable TLS verification for Census GHE (Census CA cert not trusted by default)\n GIT_SSL_NO_VERIFY: \"true\"\n TF_CLI_ARGS: \"-no-color\"\n # Census proxy — required for registry.terraform.io provider downloads\n HTTPS_PROXY: \"http://proxy.tco.census.gov:3128\"\n HTTP_PROXY: \"http://proxy.tco.census.gov:3128\"\n # Exclude AWS-internal endpoints and Census GHE from the proxy\n NO_PROXY: \"169.254.169.254,169.254.170.2,s3.us-gov-west-1.amazonaws.com,s3.amazonaws.com,.amazonaws.com,.us-gov-west-1.amazonaws.com,github.e.it.census.gov\"\n\nphases:\n install:\n commands:\n # ── Install Census Bureau CA certificate ──────────────────────────────\n # The Census GHE TLS cert is issued by the Census Bureau CA which is not\n # trusted by the CodeBuild Amazon Linux 2 trust store by default.\n - |\n aws s3 cp \"s3://${ASSETS_BUCKET}/certs/census-ca.pem\" \\\n /etc/pki/ca-trust/source/anchors/census-ca.pem 2\u003e/dev/null \\\n \u0026\u0026 update-ca-trust \\\n \u0026\u0026 echo \"Census CA cert installed\" \\\n || echo \"WARNING: could not install Census CA cert (continuing anyway)\"\n\n # ── Install Terraform ─────────────────────────────────────────────────\n - |\n if ! command -v terraform \u0026\u003e/dev/null; then\n TF_ZIP=\"terraform_${TF_VERSION}_linux_amd64.zip\"\n echo \"Installing Terraform ${TF_VERSION}...\"\n aws s3 cp \"s3://${ASSETS_BUCKET}/terraform/${TF_ZIP}\" /tmp/${TF_ZIP} 2\u003e/dev/null \\\n || curl -fsSL \"https://releases.hashicorp.com/terraform/${TF_VERSION}/${TF_ZIP}\" -o /tmp/${TF_ZIP}\n unzip -oq /tmp/${TF_ZIP} -d /usr/local/bin/\n chmod +x /usr/local/bin/terraform\n rm /tmp/${TF_ZIP}\n fi\n - terraform version\n\n # ── Clone terraform-eks-deployment ───────────────────────────────────\n - |\n git config --global credential.helper \\\n \"!f() { echo username=x-access-token; echo password=${GITHUB_TOKEN}; }; f\"\n git clone --depth 1 --branch \"${REPO_BRANCH}\" \\\n \"https://${REPO_HOST}/${REPO_ORG}/${REPO_NAME}.git\" \\\n /tmp/eks-deploy\n - echo \"Cloned ${REPO_ORG}/${REPO_NAME} @ $(git -C /tmp/eks-deploy rev-parse --short HEAD)\"\n\n build:\n commands:\n - cd /tmp/eks-deploy\n - echo \"=== terraform init ===\"\n - terraform init -no-color\n - echo \"=== terraform apply ===\"\n - terraform apply -auto-approve -no-color\n\n post_build:\n commands:\n - |\n if [ \"${CODEBUILD_BUILD_SUCCEEDING}\" = \"0\" ]; then\n echo \"Build FAILED — check logs above\"\n else\n echo \"Build SUCCEEDED — repository created\"\n fi\n", "git_clone_depth": 0, "git_submodules_config": [], "insecure_ssl": false, @@ -316,6 +316,31 @@ } ] }, + { + "mode": "managed", + "type": "aws_iam_role_policy", + "name": "tf_github_token_access", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "eks-terragrunt-repo-gen-lambda-role:eks-repo-creator-tf-github-token-access", + "name": "eks-repo-creator-tf-github-token-access", + "name_prefix": "", + "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"secretsmanager:GetSecretValue\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws-us-gov:secretsmanager:us-gov-west-1:229685449397:secret:ghe-runner/github-token-*\",\"Sid\":\"ReadTFGitHubToken\"}]}", + "role": "eks-terragrunt-repo-gen-lambda-role" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_caller_identity.current", + "module.eks_terragrunt_repo_generator.aws_iam_role.lambda", + "module.eks_terragrunt_repo_generator.data.aws_partition.current" + ] + } + ] + }, { "mode": "managed", "type": "aws_s3_object", @@ -967,6 +992,10 @@ "name": "eks-repo-creator-codebuild-access", "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"codebuild:StartBuild\",\"codebuild:BatchGetBuilds\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws-us-gov:codebuild:us-gov-west-1:229685449397:project/eks-terragrunt-repo-creator\",\"Sid\":\"StartAndPollBuild\"}]}" }, + { + "name": "eks-repo-creator-tf-github-token-access", + "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"secretsmanager:GetSecretValue\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws-us-gov:secretsmanager:us-gov-west-1:229685449397:secret:ghe-runner/github-token-*\",\"Sid\":\"ReadTFGitHubToken\"}]}" + }, { "name": "eks-terragrunt-repo-gen-kms-access-policy", "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"kms:Decrypt\",\"kms:DescribeKey\"],\"Effect\":\"Allow\",\"Resource\":[\"*\"]}]}" @@ -1155,7 +1184,7 @@ "x86_64" ], "arn": "arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation", - "code_sha256": "2e16bf46a2f11897e0aa8542802533a893c215d575725b48752bd99f783e1f89", + "code_sha256": "d49d016b3984ba4e9d860e4ec1f9511a4e7eaa1cbe240fd9dbfb36dea069fbdf", "code_signing_config_arn": null, "dead_letter_config": [], "description": "", @@ -1169,6 +1198,7 @@ "PARAM_STORE_PREFIX": "/eks-terragrunt-repo-gen", "REPO_VISIBILITY": "public", "TEMPLATE_REPO_NAME": "template-eks-cluster", + "TF_GITHUB_TOKEN_SECRET_NAME": "ghe-runner/github-token", "VERIFY_SSL": "false" } } @@ -1187,7 +1217,7 @@ "image_uri": "229685449397.dkr.ecr.us-gov-west-1.amazonaws.com/eks-terragrunt-repo-generator/lambda:latest", "invoke_arn": "arn:aws-us-gov:apigateway:us-gov-west-1:lambda:path/2015-03-31/functions/arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation/invocations", "kms_key_arn": "", - "last_modified": "2026-04-06T17:58:08.000+0000", + "last_modified": "2026-04-07T17:09:55.000+0000", "layers": [], "logging_config": [ { @@ -1200,8 +1230,8 @@ "memory_size": 512, "package_type": "Image", "publish": true, - "qualified_arn": "arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation:4", - "qualified_invoke_arn": "arn:aws-us-gov:apigateway:us-gov-west-1:lambda:path/2015-03-31/functions/arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation:4/invocations", + "qualified_arn": "arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation:6", + "qualified_invoke_arn": "arn:aws-us-gov:apigateway:us-gov-west-1:lambda:path/2015-03-31/functions/arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation:6/invocations", "replace_security_groups_on_destroy": null, "replacement_security_group_ids": null, "reserved_concurrent_executions": -1, @@ -1226,14 +1256,14 @@ "ManagedBy": "Terraform", "Purpose": "EKSTerragruntRepoGenerator" }, - "timeout": 300, + "timeout": 900, "timeouts": null, "tracing_config": [ { "mode": "PassThrough" } ], - "version": "4", + "version": "6", "vpc_config": [ { "ipv6_allowed_for_dual_stack": false, @@ -1403,13 +1433,13 @@ [ { "type": "get_attr", - "value": "value_wo" + "value": "value" } ], [ { "type": "get_attr", - "value": "value" + "value": "value_wo" } ] ], @@ -1450,13 +1480,13 @@ [ { "type": "get_attr", - "value": "value" + "value": "value_wo" } ], [ { "type": "get_attr", - "value": "value_wo" + "value": "value" } ] ], @@ -1497,13 +1527,13 @@ [ { "type": "get_attr", - "value": "value_wo" + "value": "value" } ], [ { "type": "get_attr", - "value": "value" + "value": "value_wo" } ] ], @@ -1685,13 +1715,13 @@ [ { "type": "get_attr", - "value": "value_wo" + "value": "value" } ], [ { "type": "get_attr", - "value": "value" + "value": "value_wo" } ] ], diff --git a/deploy/terraform.tfstate.backup b/deploy/terraform.tfstate.backup index 5df4e0c..8569f2e 100644 --- a/deploy/terraform.tfstate.backup +++ b/deploy/terraform.tfstate.backup @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.9.1", - "serial": 194, + "serial": 209, "lineage": "637f189b-ce2c-766c-35d1-8b43eb7ae216", "outputs": { "api_endpoint": { @@ -177,7 +177,7 @@ { "auth": [], "build_status_config": [], - "buildspec": "version: 0.2\n# buildspec.yml — terraform-eks-deployment / eks-terragrunt-repo-creator\n#\n# This buildspec is used by the CodeBuild project that is triggered by the\n# Lambda function (eks-terragrunt-repo-gen-template-automation) to create an\n# EKS cluster GitHub repository.\n#\n# Required environment variables (injected by the Lambda as overrides):\n# TF_VAR_name — cluster / repo name\n# TF_VAR_environment — environment (dev / nonprod / prod)\n# TF_VAR_region — AWS region (e.g. us-gov-west-1)\n# TF_VAR_cluster_config — JSON object with account_name, aws_account_id, etc.\n# TF_VAR_finops — JSON object with finops project_name / project_number\n# GITHUB_TOKEN — GitHub PAT (passed from Lambda's Secrets Manager read)\n# GITHUB_OWNER — GitHub org (default: SCT-Engineering)\n# GITHUB_BASE_URL — GHE base URL (e.g. https://github.e.it.census.gov)\n\nenv:\n variables:\n TF_VERSION: \"1.9.0\"\n ASSETS_BUCKET: \"csvd-packer-pipeline-assets\"\n REPO_HOST: \"github.e.it.census.gov\"\n REPO_ORG: \"CSVD\"\n REPO_NAME: \"terraform-eks-deployment\"\n # Disable TLS verification for Census GHE (Census CA cert not trusted by default)\n GIT_SSL_NO_VERIFY: \"true\"\n TF_CLI_ARGS: \"-no-color\"\n\nphases:\n install:\n commands:\n # ── Install Terraform ─────────────────────────────────────────────────\n - |\n if ! command -v terraform \u0026\u003e/dev/null; then\n TF_ZIP=\"terraform_${TF_VERSION}_linux_amd64.zip\"\n echo \"Installing Terraform ${TF_VERSION}...\"\n aws s3 cp \"s3://${ASSETS_BUCKET}/terraform/${TF_ZIP}\" /tmp/${TF_ZIP} 2\u003e/dev/null \\\n || curl -fsSL \"https://releases.hashicorp.com/terraform/${TF_VERSION}/${TF_ZIP}\" -o /tmp/${TF_ZIP}\n unzip -oq /tmp/${TF_ZIP} -d /usr/local/bin/\n chmod +x /usr/local/bin/terraform\n rm /tmp/${TF_ZIP}\n fi\n - terraform version\n\n # ── Clone terraform-eks-deployment ───────────────────────────────────\n - |\n git config --global credential.helper \\\n \"!f() { echo username=x-access-token; echo password=${GITHUB_TOKEN}; }; f\"\n git clone --depth 1 \\\n \"https://${REPO_HOST}/${REPO_ORG}/${REPO_NAME}.git\" \\\n /tmp/eks-deploy\n - echo \"Cloned ${REPO_ORG}/${REPO_NAME} @ $(git -C /tmp/eks-deploy rev-parse --short HEAD)\"\n\n build:\n commands:\n - cd /tmp/eks-deploy\n - echo \"=== terraform init ===\"\n - terraform init -no-color\n - echo \"=== terraform apply ===\"\n - terraform apply -auto-approve -no-color\n\n post_build:\n commands:\n - |\n if [ \"${CODEBUILD_BUILD_SUCCEEDING}\" = \"0\" ]; then\n echo \"Build FAILED — check logs above\"\n else\n echo \"Build SUCCEEDED — repository created\"\n fi\n", + "buildspec": "version: 0.2\n# buildspec.yml — terraform-eks-deployment / eks-terragrunt-repo-creator\n#\n# This buildspec is used by the CodeBuild project that is triggered by the\n# Lambda function (eks-terragrunt-repo-gen-template-automation) to create an\n# EKS cluster GitHub repository.\n#\n# Required environment variables (injected by the Lambda as overrides):\n# TF_VAR_name — cluster / repo name\n# TF_VAR_environment — environment (dev / nonprod / prod)\n# TF_VAR_region — AWS region (e.g. us-gov-west-1)\n# TF_VAR_cluster_config — JSON object with account_name, aws_account_id, etc.\n# TF_VAR_finops — JSON object with finops project_name / project_number\n# GITHUB_TOKEN — GitHub PAT (passed from Lambda's Secrets Manager read)\n# GITHUB_OWNER — GitHub org (default: SCT-Engineering)\n# GITHUB_BASE_URL — GHE base URL (e.g. https://github.e.it.census.gov)\n\nenv:\n variables:\n TF_VERSION: \"1.9.1\"\n ASSETS_BUCKET: \"csvd-packer-pipeline-assets\"\n REPO_HOST: \"github.e.it.census.gov\"\n REPO_ORG: \"SCT-Engineering\"\n REPO_NAME: \"terraform-eks-deployment\"\n REPO_BRANCH: \"fix/eca-copilot-instructions-and-callnotes\" # update to main once merged\n # Disable TLS verification for Census GHE (Census CA cert not trusted by default)\n GIT_SSL_NO_VERIFY: \"true\"\n TF_CLI_ARGS: \"-no-color\"\n # Census proxy — required for registry.terraform.io provider downloads\n HTTPS_PROXY: \"http://proxy.tco.census.gov:3128\"\n HTTP_PROXY: \"http://proxy.tco.census.gov:3128\"\n # Exclude AWS-internal endpoints and Census GHE from the proxy\n NO_PROXY: \"169.254.169.254,169.254.170.2,s3.us-gov-west-1.amazonaws.com,s3.amazonaws.com,.amazonaws.com,.us-gov-west-1.amazonaws.com,github.e.it.census.gov\"\n\nphases:\n install:\n commands:\n # ── Install Census Bureau CA certificate ──────────────────────────────\n # The Census GHE TLS cert is issued by the Census Bureau CA which is not\n # trusted by the CodeBuild Amazon Linux 2 trust store by default.\n - |\n aws s3 cp \"s3://${ASSETS_BUCKET}/certs/census-ca.pem\" \\\n /etc/pki/ca-trust/source/anchors/census-ca.pem 2\u003e/dev/null \\\n \u0026\u0026 update-ca-trust \\\n \u0026\u0026 echo \"Census CA cert installed\" \\\n || echo \"WARNING: could not install Census CA cert (continuing anyway)\"\n\n # ── Install Terraform ─────────────────────────────────────────────────\n - |\n if ! command -v terraform \u0026\u003e/dev/null; then\n TF_ZIP=\"terraform_${TF_VERSION}_linux_amd64.zip\"\n echo \"Installing Terraform ${TF_VERSION}...\"\n aws s3 cp \"s3://${ASSETS_BUCKET}/terraform/${TF_ZIP}\" /tmp/${TF_ZIP} 2\u003e/dev/null \\\n || curl -fsSL \"https://releases.hashicorp.com/terraform/${TF_VERSION}/${TF_ZIP}\" -o /tmp/${TF_ZIP}\n unzip -oq /tmp/${TF_ZIP} -d /usr/local/bin/\n chmod +x /usr/local/bin/terraform\n rm /tmp/${TF_ZIP}\n fi\n - terraform version\n\n # ── Clone terraform-eks-deployment ───────────────────────────────────\n - |\n git config --global credential.helper \\\n \"!f() { echo username=x-access-token; echo password=${GITHUB_TOKEN}; }; f\"\n git clone --depth 1 --branch \"${REPO_BRANCH}\" \\\n \"https://${REPO_HOST}/${REPO_ORG}/${REPO_NAME}.git\" \\\n /tmp/eks-deploy\n - echo \"Cloned ${REPO_ORG}/${REPO_NAME} @ $(git -C /tmp/eks-deploy rev-parse --short HEAD)\"\n\n build:\n commands:\n - cd /tmp/eks-deploy\n - echo \"=== terraform init ===\"\n - terraform init -no-color\n - echo \"=== terraform apply ===\"\n - terraform apply -auto-approve -no-color\n\n post_build:\n commands:\n - |\n if [ \"${CODEBUILD_BUILD_SUCCEEDING}\" = \"0\" ]; then\n echo \"Build FAILED — check logs above\"\n else\n echo \"Build SUCCEEDED — repository created\"\n fi\n", "git_clone_depth": 0, "git_submodules_config": [], "insecure_ssl": false, @@ -316,6 +316,31 @@ } ] }, + { + "mode": "managed", + "type": "aws_iam_role_policy", + "name": "tf_github_token_access", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "eks-terragrunt-repo-gen-lambda-role:eks-repo-creator-tf-github-token-access", + "name": "eks-repo-creator-tf-github-token-access", + "name_prefix": "", + "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"secretsmanager:GetSecretValue\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws-us-gov:secretsmanager:us-gov-west-1:229685449397:secret:ghe-runner/github-token-*\",\"Sid\":\"ReadTFGitHubToken\"}]}", + "role": "eks-terragrunt-repo-gen-lambda-role" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_caller_identity.current", + "module.eks_terragrunt_repo_generator.aws_iam_role.lambda", + "module.eks_terragrunt_repo_generator.data.aws_partition.current" + ] + } + ] + }, { "mode": "managed", "type": "aws_s3_object", @@ -963,6 +988,10 @@ "force_detach_policies": false, "id": "eks-terragrunt-repo-gen-lambda-role", "inline_policy": [ + { + "name": "eks-repo-creator-codebuild-access", + "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"codebuild:StartBuild\",\"codebuild:BatchGetBuilds\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws-us-gov:codebuild:us-gov-west-1:229685449397:project/eks-terragrunt-repo-creator\",\"Sid\":\"StartAndPollBuild\"}]}" + }, { "name": "eks-terragrunt-repo-gen-kms-access-policy", "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"kms:Decrypt\",\"kms:DescribeKey\"],\"Effect\":\"Allow\",\"Resource\":[\"*\"]}]}" @@ -1151,7 +1180,7 @@ "x86_64" ], "arn": "arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation", - "code_sha256": "2e16bf46a2f11897e0aa8542802533a893c215d575725b48752bd99f783e1f89", + "code_sha256": "d49d016b3984ba4e9d860e4ec1f9511a4e7eaa1cbe240fd9dbfb36dea069fbdf", "code_signing_config_arn": null, "dead_letter_config": [], "description": "", @@ -1165,6 +1194,7 @@ "PARAM_STORE_PREFIX": "/eks-terragrunt-repo-gen", "REPO_VISIBILITY": "public", "TEMPLATE_REPO_NAME": "template-eks-cluster", + "TF_GITHUB_TOKEN_SECRET_NAME": "ghe-runner/github-token", "VERIFY_SSL": "false" } } @@ -1183,7 +1213,7 @@ "image_uri": "229685449397.dkr.ecr.us-gov-west-1.amazonaws.com/eks-terragrunt-repo-generator/lambda:latest", "invoke_arn": "arn:aws-us-gov:apigateway:us-gov-west-1:lambda:path/2015-03-31/functions/arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation/invocations", "kms_key_arn": "", - "last_modified": "2026-04-06T17:58:08.000+0000", + "last_modified": "2026-04-07T17:09:55.000+0000", "layers": [], "logging_config": [ { @@ -1196,8 +1226,8 @@ "memory_size": 512, "package_type": "Image", "publish": true, - "qualified_arn": "arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation:4", - "qualified_invoke_arn": "arn:aws-us-gov:apigateway:us-gov-west-1:lambda:path/2015-03-31/functions/arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation:4/invocations", + "qualified_arn": "arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation:6", + "qualified_invoke_arn": "arn:aws-us-gov:apigateway:us-gov-west-1:lambda:path/2015-03-31/functions/arn:aws-us-gov:lambda:us-gov-west-1:229685449397:function:eks-terragrunt-repo-gen-template-automation:6/invocations", "replace_security_groups_on_destroy": null, "replacement_security_group_ids": null, "reserved_concurrent_executions": -1, @@ -1222,14 +1252,14 @@ "ManagedBy": "Terraform", "Purpose": "EKSTerragruntRepoGenerator" }, - "timeout": 300, + "timeout": 900, "timeouts": null, "tracing_config": [ { "mode": "PassThrough" } ], - "version": "4", + "version": "6", "vpc_config": [ { "ipv6_allowed_for_dual_stack": false, @@ -1540,13 +1570,13 @@ [ { "type": "get_attr", - "value": "value" + "value": "value_wo" } ], [ { "type": "get_attr", - "value": "value_wo" + "value": "value" } ] ], @@ -1587,13 +1617,13 @@ [ { "type": "get_attr", - "value": "value" + "value": "value_wo" } ], [ { "type": "get_attr", - "value": "value_wo" + "value": "value" } ] ], @@ -1634,13 +1664,13 @@ [ { "type": "get_attr", - "value": "value" + "value": "value_wo" } ], [ { "type": "get_attr", - "value": "value_wo" + "value": "value" } ] ],