fix: use PAT (ghe-runner/github-token) for Terraform GitHub provider …

…in CodeBuild The standard github_token (/eks-cluster-deployment/github_token) is a GitHub App installation token (ghs_ prefix) which cannot access /api/v3/user. This endpoint is always called by the CSVD terraform-github-repo module's data.github_user.current resource. Changes: - app.py: check TF_GITHUB_TOKEN_SECRET_NAME env var first for CodeBuild token; falls back to GITHUB_TOKEN_SECRET_NAME if not set - deploy/main.tf: add TF_GITHUB_TOKEN_SECRET_NAME=ghe-runner/github-token env var - deploy/main.tf: add IAM policy granting Lambda access to ghe-runner/github-token
CSVD · Apr 7, 2026 · 5d3ff19 · 5d3ff19
1 parent eb18463
commit 5d3ff19
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/deploy/main.tf b/deploy/main.tf
@@ -61,6 +61,11 @@ module "eks_terragrunt_repo_generator" {
 
         # Name of the CodeBuild project that runs terraform-eks-deployment for EKS repos
         CODEBUILD_PROJECT_NAME = var.codebuild_project_name
+
+        # PAT used by CodeBuild/Terraform for the GitHub provider (must be a ghp_ PAT —
+        # the standard App installation token ghs_ cannot access /api/v3/user which is
+        # required by the CSVD terraform-github-repo module).
+        TF_GITHUB_TOKEN_SECRET_NAME = "ghe-runner/github-token"
       }
     )
   }
@@ -133,6 +138,27 @@ resource "aws_iam_role_policy" "codebuild_access" {
   })
 }
 
+# ── IAM: allow Lambda to read the PAT used for CodeBuild/Terraform ──────────
+# The standard github_token secret may hold a GitHub App installation token
+# (ghs_) which cannot access /api/v3/user — required by the CSVD
+# terraform-github-repo module. Grant access to the GHE runner PAT instead.
+resource "aws_iam_role_policy" "tf_github_token_access" {
+  name = "eks-repo-creator-tf-github-token-access"
+  role = module.eks_terragrunt_repo_generator.lambda_role_id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid      = "ReadTFGitHubToken"
+        Effect   = "Allow"
+        Action   = ["secretsmanager:GetSecretValue"]
+        Resource = "arn:aws-us-gov:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.account_id}:secret:ghe-runner/github-token-*"
+      }
+    ]
+  })
+}
+
 # ── VPC endpoint: CodeBuild (interface) ──────────────────────────────────────
 # The Lambda runs inside a VPC; without this endpoint the CodeBuild API call
 # times out because there is no NAT/internet path for codebuild.amazonaws.com.

diff --git a/template_automation/app.py b/template_automation/app.py
@@ -718,7 +718,16 @@ def lambda_handler(event: dict, context) -> dict:
         # build, wait for it, and relay the result back to CloudFormation.
         if cfn_input.is_eks_deployment:
             logger.info(f"[{request_id}] EKS deployment detected – delegating to CodeBuild")
-            github_token = get_secret(os.environ["GITHUB_TOKEN_SECRET_NAME"])
+            # Use a dedicated PAT for CodeBuild/Terraform if configured; the standard
+            # GITHUB_TOKEN_SECRET_NAME may hold a GitHub App installation token (ghs_)
+            # which cannot access /api/v3/user — required by the CSVD terraform-github-repo
+            # module's data.github_user.current lookup.
+            tf_token_secret = os.environ.get(
+                "TF_GITHUB_TOKEN_SECRET_NAME",
+                os.environ["GITHUB_TOKEN_SECRET_NAME"]
+            )
+            logger.info(f"[{request_id}] Fetching Terraform GitHub token from secret: {tf_token_secret}")
+            github_token = get_secret(tf_token_secret)
             build_id = start_codebuild_build(cfn_input, github_token, request_id)
             build_status, logs_url = poll_codebuild_build(build_id, request_id)