feat: path_mapper for dynamic EKS repo structure (safe revert baseline)

- build_eks_path_mapper remaps environment/region/vpc/cluster/ placeholders to concrete values from CFN params - github_provider: clone_repository_contents accepts optional path_mapper - csvd_config_packer.hcl: create_role=false, packer 1.10.3, role ARN wired - deploy/service_catalog.tf: SC product and portfolio synced - Updated copilot instructions with Lambda-only architecture decision
CSVD · Apr 6, 2026 · a79cee4 · a79cee4
1 parent 528f4b3
commit a79cee4
Show file tree

Hide file tree

Showing 9 changed files with 545 additions and 385 deletions.
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -77,8 +77,31 @@ SC Console (user fills form)
     → SC provisioned product shows as AVAILABLE
 ```
 
-The SC product is **managed by `terraform-service-catalog-census`** (not deployed from this repo).
-The live CFN template lives at:
+## SC Product Deployment Methods
+
+There are **two ways** to deploy the Service Catalog product. Both use the same
+`service-catalog/product-template.yaml` CFN template — they must stay in sync.
+
+### Method 1: Direct Terraform via `deploy/` (canonical, use for testing/debugging)
+
+```bash
+cd lambda-template-repo-generator/deploy
+tf init
+tf apply
+```
+
+This deploys the Lambda + SC portfolio + SC product + constraints directly.
+Use this as the **reference deployment** when debugging issues with the census pipeline.
+IDs after last apply: portfolio `port-h5qd63hw5yagq`, product `prod-lmua4oknugafg`.
+
+### Method 2: `terraform-service-catalog-census` Terragrunt (production path)
+
+```bash
+cd terraform-service-catalog-census/non-prod/csvd-dev/west/service-catalog
+tf apply   # (via terragrunt)
+```
+
+This is the census-managed production deployment path. The live CFN template lives at:
 `terraform-service-catalog-census/templates/products/eks-terragrunt-repo/2-0-0.yaml`
 
 Both `service-catalog/product-template.yaml` here and `2-0-0.yaml` in census must stay in sync
@@ -140,8 +163,10 @@ python scripts/check_github_permissions.py
 
 ## What NOT to Do
 
-- ❌ Do not create a `buildspec.yml` for repo creation — there is no CodeBuild approach here
-- ❌ Do not use `hashicorp/github` or `HappyPathway/terraform-github-repo` Terraform providers for SC products
+- ❌ Do not create a `buildspec.yml` for repo creation using the **old** CodeBuild+Terraform approach
+- ❌ Do not use `HappyPathway/terraform-github-repo` **public** module — it pins `github ~> 6.0` (conflicts with internal `>= 6.6.0`)
+- ✅ DO use `CSVD/terraform-github-repo` (https://github.e.it.census.gov/CSVD/terraform-github-repo) — internal module, uses `github 6.6.0`, supports `template_repo` + `managed_extra_files`
 - ❌ Do not pass `vpc_id` to the Lambda — use `vpc_name`
-- ❌ Do not deploy the SC portfolio/product from this repo — that's `terraform-service-catalog-census`'s job
 - ❌ Do not re-add `LambdaFunctionArn` as a CFN parameter — use `!Sub "arn:..."` directly
+- ❌ Do not write temp files or command output to `/tmp` — use `~/tmp` (i.e. `/home/a/arnol377/tmp`) instead
+- ❌ Do not use the `terraform` command directly — always use the `tf` alias (e.g. `tf plan`, `tf apply`, `tf init`)
diff --git a/csvd_config_packer.hcl b/csvd_config_packer.hcl
@@ -17,8 +17,8 @@ packer_pipeline {
   tools = [
     {
       name         = "packer"
-      version      = "1.13.0"
-      zip_path     = "packer_1.13.0_linux_amd64.zip"
+      version      = "1.10.3"
+      zip_path     = "packer_1.10.3_linux_amd64.zip"
       binary_name  = "packer"
       install_path = "/usr/local/bin"
     }
@@ -29,7 +29,8 @@ packer_pipeline {
   partition            = "aws-us-gov"    // AWS partition (aws or aws-us-gov)
 
   // Role management
-  create_role          = true  // Enable automatic role creation
+  create_role          = false  // Role already exists; provide ARN directly
+  codebuild_role_arn   = "arn:aws-us-gov:iam::229685449397:role/CodeBuildPackerRole-eks-terragrunt-repo-generator-builder"
 
   // Region and partition configuration
   aws_region           = "us-gov-west-1"  // AWS region
@@ -42,7 +43,7 @@ packer_pipeline {
   buildspec_template   = "buildspec.yml.j2"  // Buildspec template file
 
   // Post-build commands to push Docker image to ECR
-  additional_post_build_commands  = "docker push ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}"
+  additional_post_build_commands  = "- docker push ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}"
 
   // Exclude patterns for zip creation
   exclude_dirs     = [

diff --git a/deploy/.terraform_commits b/deploy/.terraform_commits
@@ -82,5 +82,17 @@
     "commit_message": "pushing latest code",
     "author": "Your Name",
     "timestamp": "2026-02-11T17:09:42.508401"
+  },
+  {
+    "commit_hash": "528f4b3c9d142dc7b5b4cd3e9f7ce00aa98352ca",
+    "commit_message": "fix: VERIFY_SSL=false; public repo visibility; add ec2:DescribeVpcs to SC launch role\n\n- VERIFY_SSL was incorrectly set to 'true' (Census CA cert not in certifi)\n- repo_visibility changed from 'internal' to 'public' per ECA requirements\n- Added EC2DescribeVpcs permission to SC launch role IAM policy",
+    "author": "Your Name",
+    "timestamp": "2026-04-06T12:12:58.619384"
+  },
+  {
+    "commit_hash": "528f4b3c9d142dc7b5b4cd3e9f7ce00aa98352ca",
+    "commit_message": "fix: VERIFY_SSL=false; public repo visibility; add ec2:DescribeVpcs to SC launch role\n\n- VERIFY_SSL was incorrectly set to 'true' (Census CA cert not in certifi)\n- repo_visibility changed from 'internal' to 'public' per ECA requirements\n- Added EC2DescribeVpcs permission to SC launch role IAM policy",
+    "author": "Your Name",
+    "timestamp": "2026-04-06T12:18:21.814330"
   }
 ]
diff --git a/deploy/service_catalog.tf b/deploy/service_catalog.tf
@@ -189,33 +189,7 @@ resource "aws_servicecatalog_constraint" "launch" {
   description = "Launch constraint - uses a dedicated role to invoke the Lambda function"
 }
 
-# -----------------------------------------------------------------------------
-# Template constraint – lock the hidden LambdaFunctionArn parameter
-# -----------------------------------------------------------------------------
-resource "aws_servicecatalog_constraint" "template" {
-  count = local.create_sc ? 1 : 0
-
-  portfolio_id = aws_servicecatalog_portfolio.this[0].id
-  product_id   = aws_servicecatalog_product.github_repository[0].id
-  type         = "TEMPLATE"
-
-  parameters = jsonencode({
-    Rules = {
-      LockLambdaArn = {
-        Assertions = [
-          {
-            Assert = {
-              "Fn::Equals" = [
-                { Ref = "LambdaFunctionArn" },
-                local.lambda_arn
-              ]
-            }
-            AssertDescription = "The Lambda function ARN cannot be changed"
-          }
-        ]
-      }
-    }
-  })
-
-  description = "Template constraint - locks the Lambda ARN to the deployed function"
-}
+# Template constraint removed: LambdaFunctionArn was dropped as a CFN parameter
+# (ServiceToken is now hardcoded via !Sub in product-template.yaml).
+# A template constraint referencing a non-existent parameter causes
+# "Template Constraint Parameters Error" at launch time.