From 20f9681e6568f66f21164c777c8120c6f944c861 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 7 Apr 2026 12:55:53 -0400 Subject: [PATCH] fix: install Census CA cert + add GHE to NO_PROXY in CodeBuild buildspec - Download census-ca.pem from S3 assets bucket and add to Amazon Linux 2 trust store via update-ca-trust during INSTALL phase - Add github.e.it.census.gov to NO_PROXY so Terraform provider connects directly (not through proxy) and trusts Census CA chain - Keep insecure=true in providers.tf as belt-and-suspenders --- buildspec.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/buildspec.yml b/buildspec.yml index fc57156..360ffa5 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -29,12 +29,22 @@ env: # Census proxy — required for registry.terraform.io provider downloads HTTPS_PROXY: "http://proxy.tco.census.gov:3128" HTTP_PROXY: "http://proxy.tco.census.gov:3128" - # Exclude AWS-internal endpoints from the proxy - NO_PROXY: "169.254.169.254,169.254.170.2,s3.us-gov-west-1.amazonaws.com,s3.amazonaws.com,.amazonaws.com,.us-gov-west-1.amazonaws.com" + # Exclude AWS-internal endpoints and Census GHE from the proxy + NO_PROXY: "169.254.169.254,169.254.170.2,s3.us-gov-west-1.amazonaws.com,s3.amazonaws.com,.amazonaws.com,.us-gov-west-1.amazonaws.com,github.e.it.census.gov" phases: install: commands: + # ── Install Census Bureau CA certificate ────────────────────────────── + # The Census GHE TLS cert is issued by the Census Bureau CA which is not + # trusted by the CodeBuild Amazon Linux 2 trust store by default. + - | + aws s3 cp "s3://${ASSETS_BUCKET}/certs/census-ca.pem" \ + /etc/pki/ca-trust/source/anchors/census-ca.pem 2>/dev/null \ + && update-ca-trust \ + && echo "Census CA cert installed" \ + || echo "WARNING: could not install Census CA cert (continuing anyway)" + # ── Install Terraform ───────────────────────────────────────────────── - | if ! command -v terraform &>/dev/null; then