fix: install Census CA cert + add GHE to NO_PROXY in CodeBuild buildspec

- Download census-ca.pem from S3 assets bucket and add to Amazon Linux 2 trust store via update-ca-trust during INSTALL phase - Add github.e.it.census.gov to NO_PROXY so Terraform provider connects directly (not through proxy) and trusts Census CA chain - Keep insecure=true in providers.tf as belt-and-suspenders
SCT-Engineering · Apr 7, 2026 · 20f9681 · 20f9681
1 parent d490e1f
commit 20f9681
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/buildspec.yml b/buildspec.yml
@@ -29,12 +29,22 @@ env:
     # Census proxy — required for registry.terraform.io provider downloads
     HTTPS_PROXY: "http://proxy.tco.census.gov:3128"
     HTTP_PROXY: "http://proxy.tco.census.gov:3128"
-    # Exclude AWS-internal endpoints from the proxy
-    NO_PROXY: "169.254.169.254,169.254.170.2,s3.us-gov-west-1.amazonaws.com,s3.amazonaws.com,.amazonaws.com,.us-gov-west-1.amazonaws.com"
+    # Exclude AWS-internal endpoints and Census GHE from the proxy
+    NO_PROXY: "169.254.169.254,169.254.170.2,s3.us-gov-west-1.amazonaws.com,s3.amazonaws.com,.amazonaws.com,.us-gov-west-1.amazonaws.com,github.e.it.census.gov"
 
 phases:
   install:
     commands:
+      # ── Install Census Bureau CA certificate ──────────────────────────────
+      # The Census GHE TLS cert is issued by the Census Bureau CA which is not
+      # trusted by the CodeBuild Amazon Linux 2 trust store by default.
+      - |
+        aws s3 cp "s3://${ASSETS_BUCKET}/certs/census-ca.pem" \
+          /etc/pki/ca-trust/source/anchors/census-ca.pem 2>/dev/null \
+          && update-ca-trust \
+          && echo "Census CA cert installed" \
+          || echo "WARNING: could not install Census CA cert (continuing anyway)"
+
       # ── Install Terraform ─────────────────────────────────────────────────
       - |
         if ! command -v terraform &>/dev/null; then