From 237ab9b2899adbd37888f1088c98c9469542cb3a Mon Sep 17 00:00:00 2001 From: Dave Arnold Date: Tue, 21 Apr 2026 16:13:38 -0400 Subject: [PATCH] fix(deploy): add eks-repo-creator buildspec; fix partition refs in IAM policies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds deploy/buildspec-eks-repo-creator.yml — the CodeBuild buildspec for the eks-terragrunt-repo-creator project, versioned alongside the Terraform that manages it rather than referencing terraform-eks-deployment. Currently points at REPO_BRANCH=test_cluster (PR #16 under review) — must be updated to 'main' once PR #16 merges. Also fixes all IAM policy ARN constructions to use data.aws_partition.current instead of data.aws_caller_identity.current (caller_identity has no .partition attribute in this provider version). --- deploy/buildspec-eks-repo-creator.yml | 89 +++++++++++++++++++++++++++ deploy/main.tf | 16 ++--- 2 files changed, 97 insertions(+), 8 deletions(-) create mode 100644 deploy/buildspec-eks-repo-creator.yml diff --git a/deploy/buildspec-eks-repo-creator.yml b/deploy/buildspec-eks-repo-creator.yml new file mode 100644 index 0000000..2df5891 --- /dev/null +++ b/deploy/buildspec-eks-repo-creator.yml @@ -0,0 +1,89 @@ +version: 0.2 +# buildspec-eks-repo-creator.yml +# +# Used by the CodeBuild project eks-terragrunt-repo-creator, which is triggered +# by the Lambda (eks-terragrunt-repo-gen-template-automation) to create an EKS +# cluster GitHub repository. +# +# Required environment variables (injected by the Lambda as overrides): +# TF_VAR_name — cluster / repo name +# TF_VAR_environment — environment (dev / nonprod / prod) +# TF_VAR_region — AWS region (e.g. us-gov-west-1) +# TF_VAR_cluster_config — JSON object with account_name, aws_account_id, etc. +# TF_VAR_finops — JSON object with finops project_name / project_number +# GITHUB_TOKEN — GitHub PAT (passed from Lambda's Secrets Manager read) +# GITHUB_OWNER — GitHub org (default: SCT-Engineering) +# GITHUB_BASE_URL — GHE base URL (e.g. https://github.e.it.census.gov) + +env: + variables: + TF_VERSION: "1.9.1" + ASSETS_BUCKET: "csvd-packer-pipeline-assets" + REPO_HOST: "github.e.it.census.gov" + REPO_ORG: "SCT-Engineering" + REPO_NAME: "terraform-eks-deployment" + REPO_BRANCH: "test_cluster" # PR #16 — switch back to main after merge + # Disable TLS verification for Census GHE (Census CA cert not trusted by default) + GIT_SSL_NO_VERIFY: "true" + TF_VAR_run_in_codebuild: "true" + TF_CLI_ARGS: "-no-color" + # Census proxy — required for registry.terraform.io provider downloads + HTTPS_PROXY: "http://proxy.tco.census.gov:3128" + HTTP_PROXY: "http://proxy.tco.census.gov:3128" + # Exclude AWS-internal endpoints and Census GHE from the proxy + NO_PROXY: "169.254.169.254,169.254.170.2,s3.us-gov-west-1.amazonaws.com,s3.amazonaws.com,.amazonaws.com,.us-gov-west-1.amazonaws.com,github.e.it.census.gov" + +phases: + install: + commands: + # ── Install Census Bureau CA certificate ────────────────────────────── + # The Census GHE TLS cert is issued by the Census Bureau CA which is not + # trusted by the CodeBuild Amazon Linux 2 trust store by default. + - | + aws s3 cp "s3://${ASSETS_BUCKET}/certs/census-ca.pem" \ + /etc/pki/ca-trust/source/anchors/census-ca.pem 2>/dev/null \ + && update-ca-trust \ + && echo "Census CA cert installed" \ + || echo "WARNING: could not install Census CA cert (continuing anyway)" + + # ── Install Terraform ───────────────────────────────────────────────── + - | + if ! command -v terraform &>/dev/null; then + TF_ZIP="terraform_${TF_VERSION}_linux_amd64.zip" + echo "Installing Terraform ${TF_VERSION}..." + aws s3 cp "s3://${ASSETS_BUCKET}/terraform/${TF_ZIP}" /tmp/${TF_ZIP} 2>/dev/null \ + || curl -fsSL "https://releases.hashicorp.com/terraform/${TF_VERSION}/${TF_ZIP}" -o /tmp/${TF_ZIP} + unzip -oq /tmp/${TF_ZIP} -d /usr/local/bin/ + chmod +x /usr/local/bin/terraform + rm /tmp/${TF_ZIP} + fi + - terraform version + + # ── Install Python dependencies for post-apply scripts ─────────────── + - pip3 install --quiet httpx rich + + # ── Clone terraform-eks-deployment ─────────────────────────────────── + - | + git config --global credential.helper \ + "!f() { echo username=x-access-token; echo password=${GITHUB_TOKEN}; }; f" + git clone --depth 1 --branch "${REPO_BRANCH}" \ + "https://${REPO_HOST}/${REPO_ORG}/${REPO_NAME}.git" \ + /tmp/eks-deploy + - echo "Cloned ${REPO_ORG}/${REPO_NAME} @ $(git -C /tmp/eks-deploy rev-parse --short HEAD)" + + build: + commands: + - cd /tmp/eks-deploy + - echo "=== terraform init ===" + - terraform init -no-color + - echo "=== terraform apply ===" + - terraform apply -auto-approve -no-color + + post_build: + commands: + - | + if [ "${CODEBUILD_BUILD_SUCCEEDING}" = "0" ]; then + echo "Build FAILED — check logs above" + else + echo "Build SUCCEEDED — repository created" + fi diff --git a/deploy/main.tf b/deploy/main.tf index b68ddb6..b87c015 100644 --- a/deploy/main.tf +++ b/deploy/main.tf @@ -77,7 +77,7 @@ resource "aws_iam_role_policy" "codebuild_logs" { "logs:CreateLogStream", "logs:PutLogEvents", ] - Resource = "arn:${data.aws_caller_identity.current.partition}:logs:${var.aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/codebuild/${var.codebuild_project_name}:*" + Resource = "arn:${data.aws_partition.current.partition}:logs:${var.aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/codebuild/${var.codebuild_project_name}:*" }] }) } @@ -95,7 +95,7 @@ resource "aws_iam_role_policy" "codebuild_s3_assets" { Sid = "ReadAssets" Effect = "Allow" Action = ["s3:GetObject"] - Resource = "arn:${data.aws_caller_identity.current.partition}:s3:::${var.codebuild_assets_bucket}/*" + Resource = "arn:${data.aws_partition.current.partition}:s3:::${var.codebuild_assets_bucket}/*" }] }) } @@ -132,13 +132,13 @@ resource "aws_iam_role_policy" "codebuild_vpc" { Sid = "DeleteNetworkInterface" Effect = "Allow" Action = ["ec2:DeleteNetworkInterface"] - Resource = "arn:${data.aws_caller_identity.current.partition}:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:network-interface/*" + Resource = "arn:${data.aws_partition.current.partition}:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:network-interface/*" }, { Sid = "CreateNetworkInterfacePermission" Effect = "Allow" Action = ["ec2:CreateNetworkInterfacePermission"] - Resource = "arn:${data.aws_caller_identity.current.partition}:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:network-interface/*" + Resource = "arn:${data.aws_partition.current.partition}:ec2:${var.aws_region}:${data.aws_caller_identity.current.account_id}:network-interface/*" Condition = { StringEquals = { "ec2:AuthorizedService" = "codebuild.amazonaws.com" @@ -212,10 +212,10 @@ module "eks_terragrunt_repo_generator" { # This project is triggered by the Lambda and runs terraform-eks-deployment # (tf init + tf apply) to create the EKS cluster GitHub repository. -# Inline the buildspec from terraform-eks-deployment so both repos share the -# same build steps without requiring a separate S3 upload. +# Inline the buildspec for the EKS repo creator CodeBuild project. +# The file lives alongside this Terraform config so it can be versioned together. locals { - repo_creator_buildspec = file("${path.module}/../../terraform-eks-deployment/buildspec.yml") + repo_creator_buildspec = file("${path.module}/buildspec-eks-repo-creator.yml") } resource "aws_codebuild_project" "eks_repo_creator" { @@ -288,7 +288,7 @@ resource "aws_iam_role_policy" "tf_github_token_access" { Sid = "ReadTFGitHubToken" Effect = "Allow" Action = ["secretsmanager:GetSecretValue"] - Resource = "arn:${data.aws_caller_identity.current.partition}:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.account_id}:secret:${var.tf_github_token_secret_name}-*" + Resource = "arn:${data.aws_partition.current.partition}:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.account_id}:secret:${var.tf_github_token_secret_name}-*" } ] })