fix(deploy): add eks-repo-creator buildspec; fix partition refs in IA…

…M policies

Adds deploy/buildspec-eks-repo-creator.yml — the CodeBuild buildspec for
the eks-terragrunt-repo-creator project, versioned alongside the Terraform
that manages it rather than referencing terraform-eks-deployment.

Currently points at REPO_BRANCH=test_cluster (PR #16 under review) — must
be updated to 'main' once PR #16 merges.

Also fixes all IAM policy ARN constructions to use data.aws_partition.current
instead of data.aws_caller_identity.current (caller_identity has no
.partition attribute in this provider version).

deploy/buildspec-eks-repo-creator.yml

@@ -0,0 +1,89 @@
+version: 0.2
+# buildspec-eks-repo-creator.yml
+#
+# Used by the CodeBuild project eks-terragrunt-repo-creator, which is triggered
+# by the Lambda (eks-terragrunt-repo-gen-template-automation) to create an EKS
+# cluster GitHub repository.
+#
+# Required environment variables (injected by the Lambda as overrides):
+#   TF_VAR_name           — cluster / repo name
+#   TF_VAR_environment    — environment (dev / nonprod / prod)
+#   TF_VAR_region         — AWS region (e.g. us-gov-west-1)
+#   TF_VAR_cluster_config — JSON object with account_name, aws_account_id, etc.
+#   TF_VAR_finops         — JSON object with finops project_name / project_number
+#   GITHUB_TOKEN          — GitHub PAT (passed from Lambda's Secrets Manager read)
+#   GITHUB_OWNER          — GitHub org (default: SCT-Engineering)
+#   GITHUB_BASE_URL       — GHE base URL (e.g. https://github.e.it.census.gov)
+
+env:
+  variables:
+    TF_VERSION: "1.9.1"
+    ASSETS_BUCKET: "csvd-packer-pipeline-assets"
+    REPO_HOST: "github.e.it.census.gov"
+    REPO_ORG: "SCT-Engineering"
+    REPO_NAME: "terraform-eks-deployment"
+    REPO_BRANCH: "test_cluster"  # PR #16 — switch back to main after merge
+    # Disable TLS verification for Census GHE (Census CA cert not trusted by default)
+    GIT_SSL_NO_VERIFY: "true"
+    TF_VAR_run_in_codebuild: "true"
+    TF_CLI_ARGS: "-no-color"
+    # Census proxy — required for registry.terraform.io provider downloads
+    HTTPS_PROXY: "http://proxy.tco.census.gov:3128"
+    HTTP_PROXY: "http://proxy.tco.census.gov:3128"
+    # Exclude AWS-internal endpoints and Census GHE from the proxy
+    NO_PROXY: "169.254.169.254,169.254.170.2,s3.us-gov-west-1.amazonaws.com,s3.amazonaws.com,.amazonaws.com,.us-gov-west-1.amazonaws.com,github.e.it.census.gov"
+
+phases:
+  install:
+    commands:
+      # ── Install Census Bureau CA certificate ──────────────────────────────
+      # The Census GHE TLS cert is issued by the Census Bureau CA which is not
+      # trusted by the CodeBuild Amazon Linux 2 trust store by default.
+      - |
+        aws s3 cp "s3://${ASSETS_BUCKET}/certs/census-ca.pem" \
+          /etc/pki/ca-trust/source/anchors/census-ca.pem 2>/dev/null \
+          && update-ca-trust \
+          && echo "Census CA cert installed" \
+          || echo "WARNING: could not install Census CA cert (continuing anyway)"
+
+      # ── Install Terraform ─────────────────────────────────────────────────
+      - |
+        if ! command -v terraform &>/dev/null; then
+          TF_ZIP="terraform_${TF_VERSION}_linux_amd64.zip"
+          echo "Installing Terraform ${TF_VERSION}..."
+          aws s3 cp "s3://${ASSETS_BUCKET}/terraform/${TF_ZIP}" /tmp/${TF_ZIP} 2>/dev/null \
+            || curl -fsSL "https://releases.hashicorp.com/terraform/${TF_VERSION}/${TF_ZIP}" -o /tmp/${TF_ZIP}
+          unzip -oq /tmp/${TF_ZIP} -d /usr/local/bin/
+          chmod +x /usr/local/bin/terraform
+          rm /tmp/${TF_ZIP}
+        fi
+      - terraform version
+
+      # ── Install Python dependencies for post-apply scripts ───────────────
+      - pip3 install --quiet httpx rich
+
+      # ── Clone terraform-eks-deployment ───────────────────────────────────
+      - |
+        git config --global credential.helper \
+          "!f() { echo username=x-access-token; echo password=${GITHUB_TOKEN}; }; f"
+        git clone --depth 1 --branch "${REPO_BRANCH}" \
+          "https://${REPO_HOST}/${REPO_ORG}/${REPO_NAME}.git" \
+          /tmp/eks-deploy
+      - echo "Cloned ${REPO_ORG}/${REPO_NAME} @ $(git -C /tmp/eks-deploy rev-parse --short HEAD)"
+
+  build:
+    commands:
+      - cd /tmp/eks-deploy
+      - echo "=== terraform init ==="
+      - terraform init -no-color
+      - echo "=== terraform apply ==="
+      - terraform apply -auto-approve -no-color
+
+  post_build:
+    commands:
+      - |
+        if [ "${CODEBUILD_BUILD_SUCCEEDING}" = "0" ]; then
+          echo "Build FAILED — check logs above"
+        else
+          echo "Build SUCCEEDED — repository created"
+        fi

deploy/main.tf

@@ -77,7 +77,7 @@ resource "aws_iam_role_policy" "codebuild_logs" {
         "logs:CreateLogStream",
         "logs:PutLogEvents",
       ]
-      Resource = "arn:${data.aws_caller_identity.current.partition}:logs:${var.aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/codebuild/${var.codebuild_project_name}:*"
+      Resource = "arn:${data.aws_partition.current.partition}:logs:${var.aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/codebuild/${var.codebuild_project_name}:*"
     }]
   })
 }
@@ -95,7 +95,7 @@ resource "aws_iam_role_policy" "codebuild_s3_assets" {
       Sid      = "ReadAssets"
       Effect   = "Allow"
       Action   = ["s3:GetObject"]
-      Resource = "arn:${data.aws_caller_identity.current.partition}:s3:::${var.codebuild_assets_bucket}/*"
+      Resource = "arn:${data.aws_partition.current.partition}:s3:::${var.codebuild_assets_bucket}/*"
     }]
   })
 }
@@ -132,13 +132,13 @@ resource "aws_iam_role_policy" "codebuild_vpc" {
         Sid      = "DeleteNetworkInterface"
         Effect   = "Allow"
         Action   = ["ec2:DeleteNetworkInterface"]
-        Resource = "arn:${data.aws_caller_identity.current.partition}:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:network-interface/*"
+        Resource = "arn:${data.aws_partition.current.partition}:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:network-interface/*"
       },
       {
         Sid      = "CreateNetworkInterfacePermission"
         Effect   = "Allow"
         Action   = ["ec2:CreateNetworkInterfacePermission"]
-        Resource = "arn:${data.aws_caller_identity.current.partition}:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:network-interface/*"
+        Resource = "arn:${data.aws_partition.current.partition}:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:network-interface/*"
         Condition = {
           StringEquals = {
             "ec2:AuthorizedService" = "codebuild.amazonaws.com"
@@ -212,10 +212,10 @@ module "eks_terragrunt_repo_generator" {
 # This project is triggered by the Lambda and runs terraform-eks-deployment
 # (tf init + tf apply) to create the EKS cluster GitHub repository.
 
-# Inline the buildspec from terraform-eks-deployment so both repos share the
-# same build steps without requiring a separate S3 upload.
+# Inline the buildspec for the EKS repo creator CodeBuild project.
+# The file lives alongside this Terraform config so it can be versioned together.
 locals {
-  repo_creator_buildspec = file("${path.module}/../../terraform-eks-deployment/buildspec.yml")
+  repo_creator_buildspec = file("${path.module}/buildspec-eks-repo-creator.yml")
 }
 
 resource "aws_codebuild_project" "eks_repo_creator" {
@@ -288,7 +288,7 @@ resource "aws_iam_role_policy" "tf_github_token_access" {
         Sid      = "ReadTFGitHubToken"
         Effect   = "Allow"
         Action   = ["secretsmanager:GetSecretValue"]
-        Resource = "arn:${data.aws_caller_identity.current.partition}:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.account_id}:secret:${var.tf_github_token_secret_name}-*"
+        Resource = "arn:${data.aws_partition.current.partition}:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.account_id}:secret:${var.tf_github_token_secret_name}-*"
       }
     ]
   })