From 528f4b3c9d142dc7b5b4cd3e9f7ce00aa98352ca Mon Sep 17 00:00:00 2001
From: Your Name <user@example.com>
Date: Thu, 2 Apr 2026 15:50:29 -0400
Subject: [PATCH] fix: VERIFY_SSL=false; public repo visibility; add
 ec2:DescribeVpcs to SC launch role

- VERIFY_SSL was incorrectly set to 'true' (Census CA cert not in certifi)
- repo_visibility changed from 'internal' to 'public' per ECA requirements
- Added EC2DescribeVpcs permission to SC launch role IAM policy
---
 deploy/main.tf            | 4 +++-
 deploy/service_catalog.tf | 8 ++++++++
 deploy/terraform.tfvars   | 2 +-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/deploy/main.tf b/deploy/main.tf
index 3510986..5bd55d5 100644
--- a/deploy/main.tf
+++ b/deploy/main.tf
@@ -55,7 +55,9 @@ module "eks_terragrunt_repo_generator" {
     environment_variables = merge(
       var.additional_env_vars,
       {
-        VERIFY_SSL = "true"
+        # Census CA cert is not in the container's certifi bundle; keep false until
+        # the image is rebuilt with the Census CA cert baked in.
+        VERIFY_SSL = "false"
       }
     )
   }
diff --git a/deploy/service_catalog.tf b/deploy/service_catalog.tf
index ac91c7d..7486f66 100644
--- a/deploy/service_catalog.tf
+++ b/deploy/service_catalog.tf
@@ -141,6 +141,14 @@ resource "aws_iam_role_policy" "service_catalog_launch" {
         ]
         Resource = "*"
       },
+      {
+        Sid    = "EC2DescribeVpcs"
+        Effect = "Allow"
+        Action = [
+          "ec2:DescribeVpcs"
+        ]
+        Resource = "*"
+      },
       {
         Sid    = "S3ReadTemplate"
         Effect = "Allow"
diff --git a/deploy/terraform.tfvars b/deploy/terraform.tfvars
index fd0b09b..6c265e0 100644
--- a/deploy/terraform.tfvars
+++ b/deploy/terraform.tfvars
@@ -8,7 +8,7 @@ aws_region = "us-gov-west-1"
 github_api_url           = "https://github.e.it.census.gov" # GHE URL (code adds /api/v3 automatically)
 github_org_name          = "SCT-Engineering"
 template_repo_name       = "template-eks-cluster"
-repo_visibility          = "internal" # GHE enterprise policy blocks 'private'; use 'internal'
+repo_visibility          = "public" # Repos are visible to all org members on GHE
 github_token_secret_name = "/eks-cluster-deployment/github_token"
 
 # ── Service Catalog ──────────────────────────────────────────────────────