fix: VERIFY_SSL=false; public repo visibility; add ec2:DescribeVpcs t…

…o SC launch role

- VERIFY_SSL was incorrectly set to 'true' (Census CA cert not in certifi)
- repo_visibility changed from 'internal' to 'public' per ECA requirements
- Added EC2DescribeVpcs permission to SC launch role IAM policy

deploy/main.tf

@@ -55,7 +55,9 @@ module "eks_terragrunt_repo_generator" {
     environment_variables = merge(
       var.additional_env_vars,
       {
-        VERIFY_SSL = "true"
+        # Census CA cert is not in the container's certifi bundle; keep false until
+        # the image is rebuilt with the Census CA cert baked in.
+        VERIFY_SSL = "false"
       }
     )
   }

deploy/service_catalog.tf

@@ -141,6 +141,14 @@ resource "aws_iam_role_policy" "service_catalog_launch" {
         ]
         Resource = "*"
       },
+      {
+        Sid    = "EC2DescribeVpcs"
+        Effect = "Allow"
+        Action = [
+          "ec2:DescribeVpcs"
+        ]
+        Resource = "*"
+      },
       {
         Sid    = "S3ReadTemplate"
         Effect = "Allow"

deploy/terraform.tfvars

@@ -8,7 +8,7 @@ aws_region = "us-gov-west-1"
 github_api_url           = "https://github.e.it.census.gov" # GHE URL (code adds /api/v3 automatically)
 github_org_name          = "SCT-Engineering"
 template_repo_name       = "template-eks-cluster"
-repo_visibility          = "internal" # GHE enterprise policy blocks 'private'; use 'internal'
+repo_visibility          = "public" # Repos are visible to all org members on GHE
 github_token_secret_name = "/eks-cluster-deployment/github_token"
 
 # ── Service Catalog ──────────────────────────────────────────────────────