From 5d3ff19015b916206a52dc8d591cea529b9d62ce Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 7 Apr 2026 13:09:34 -0400 Subject: [PATCH] fix: use PAT (ghe-runner/github-token) for Terraform GitHub provider in CodeBuild The standard github_token (/eks-cluster-deployment/github_token) is a GitHub App installation token (ghs_ prefix) which cannot access /api/v3/user. This endpoint is always called by the CSVD terraform-github-repo module's data.github_user.current resource. Changes: - app.py: check TF_GITHUB_TOKEN_SECRET_NAME env var first for CodeBuild token; falls back to GITHUB_TOKEN_SECRET_NAME if not set - deploy/main.tf: add TF_GITHUB_TOKEN_SECRET_NAME=ghe-runner/github-token env var - deploy/main.tf: add IAM policy granting Lambda access to ghe-runner/github-token --- deploy/main.tf | 26 ++++++++++++++++++++++++++ template_automation/app.py | 11 ++++++++++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/deploy/main.tf b/deploy/main.tf index d072eb7..3fefbc2 100644 --- a/deploy/main.tf +++ b/deploy/main.tf @@ -61,6 +61,11 @@ module "eks_terragrunt_repo_generator" { # Name of the CodeBuild project that runs terraform-eks-deployment for EKS repos CODEBUILD_PROJECT_NAME = var.codebuild_project_name + + # PAT used by CodeBuild/Terraform for the GitHub provider (must be a ghp_ PAT — + # the standard App installation token ghs_ cannot access /api/v3/user which is + # required by the CSVD terraform-github-repo module). + TF_GITHUB_TOKEN_SECRET_NAME = "ghe-runner/github-token" } ) } @@ -133,6 +138,27 @@ resource "aws_iam_role_policy" "codebuild_access" { }) } +# ── IAM: allow Lambda to read the PAT used for CodeBuild/Terraform ────────── +# The standard github_token secret may hold a GitHub App installation token +# (ghs_) which cannot access /api/v3/user — required by the CSVD +# terraform-github-repo module. Grant access to the GHE runner PAT instead. +resource "aws_iam_role_policy" "tf_github_token_access" { + name = "eks-repo-creator-tf-github-token-access" + role = module.eks_terragrunt_repo_generator.lambda_role_id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "ReadTFGitHubToken" + Effect = "Allow" + Action = ["secretsmanager:GetSecretValue"] + Resource = "arn:aws-us-gov:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.account_id}:secret:ghe-runner/github-token-*" + } + ] + }) +} + # ── VPC endpoint: CodeBuild (interface) ────────────────────────────────────── # The Lambda runs inside a VPC; without this endpoint the CodeBuild API call # times out because there is no NAT/internet path for codebuild.amazonaws.com. diff --git a/template_automation/app.py b/template_automation/app.py index 5b1ee1d..0cffae3 100644 --- a/template_automation/app.py +++ b/template_automation/app.py @@ -718,7 +718,16 @@ def lambda_handler(event: dict, context) -> dict: # build, wait for it, and relay the result back to CloudFormation. if cfn_input.is_eks_deployment: logger.info(f"[{request_id}] EKS deployment detected – delegating to CodeBuild") - github_token = get_secret(os.environ["GITHUB_TOKEN_SECRET_NAME"]) + # Use a dedicated PAT for CodeBuild/Terraform if configured; the standard + # GITHUB_TOKEN_SECRET_NAME may hold a GitHub App installation token (ghs_) + # which cannot access /api/v3/user — required by the CSVD terraform-github-repo + # module's data.github_user.current lookup. + tf_token_secret = os.environ.get( + "TF_GITHUB_TOKEN_SECRET_NAME", + os.environ["GITHUB_TOKEN_SECRET_NAME"] + ) + logger.info(f"[{request_id}] Fetching Terraform GitHub token from secret: {tf_token_secret}") + github_token = get_secret(tf_token_secret) build_id = start_codebuild_build(cfn_input, github_token, request_id) build_status, logs_url = poll_codebuild_build(build_id, request_id)