diff --git a/buildspec.yml b/buildspec.yml
new file mode 100644
index 0000000..4c4d946
--- /dev/null
+++ b/buildspec.yml
@@ -0,0 +1,69 @@
+version: 0.2
+# buildspec.yml — terraform-eks-deployment / eks-terragrunt-repo-creator
+#
+# This buildspec is used by the CodeBuild project that is triggered by the
+# Lambda function (eks-terragrunt-repo-gen-template-automation) to create an
+# EKS cluster GitHub repository.
+#
+# Required environment variables (injected by the Lambda as overrides):
+#   TF_VAR_name           — cluster / repo name
+#   TF_VAR_environment    — environment (dev / nonprod / prod)
+#   TF_VAR_region         — AWS region (e.g. us-gov-west-1)
+#   TF_VAR_cluster_config — JSON object with account_name, aws_account_id, etc.
+#   TF_VAR_finops         — JSON object with finops project_name / project_number
+#   GITHUB_TOKEN          — GitHub PAT (passed from Lambda's Secrets Manager read)
+#   GITHUB_OWNER          — GitHub org (default: SCT-Engineering)
+#   GITHUB_BASE_URL       — GHE base URL (e.g. https://github.e.it.census.gov)
+
+env:
+  variables:
+    TF_VERSION: "1.9.0"
+    ASSETS_BUCKET: "csvd-packer-pipeline-assets"
+    REPO_HOST: "github.e.it.census.gov"
+    REPO_ORG: "CSVD"
+    REPO_NAME: "terraform-eks-deployment"
+    # Disable TLS verification for Census GHE (Census CA cert not trusted by default)
+    GIT_SSL_NO_VERIFY: "true"
+    TF_CLI_ARGS: "-no-color"
+
+phases:
+  install:
+    commands:
+      # ── Install Terraform ─────────────────────────────────────────────────
+      - |
+        if ! command -v terraform &>/dev/null; then
+          TF_ZIP="terraform_${TF_VERSION}_linux_amd64.zip"
+          echo "Installing Terraform ${TF_VERSION}..."
+          aws s3 cp "s3://${ASSETS_BUCKET}/terraform/${TF_ZIP}" /tmp/${TF_ZIP} 2>/dev/null \
+            || curl -fsSL "https://releases.hashicorp.com/terraform/${TF_VERSION}/${TF_ZIP}" -o /tmp/${TF_ZIP}
+          unzip -oq /tmp/${TF_ZIP} -d /usr/local/bin/
+          chmod +x /usr/local/bin/terraform
+          rm /tmp/${TF_ZIP}
+        fi
+      - terraform version
+
+      # ── Clone terraform-eks-deployment ───────────────────────────────────
+      - |
+        git config --global credential.helper \
+          "!f() { echo username=x-access-token; echo password=${GITHUB_TOKEN}; }; f"
+        git clone --depth 1 \
+          "https://${REPO_HOST}/${REPO_ORG}/${REPO_NAME}.git" \
+          /tmp/eks-deploy
+      - echo "Cloned ${REPO_ORG}/${REPO_NAME} @ $(git -C /tmp/eks-deploy rev-parse --short HEAD)"
+
+  build:
+    commands:
+      - cd /tmp/eks-deploy
+      - echo "=== terraform init ==="
+      - terraform init -no-color
+      - echo "=== terraform apply ==="
+      - terraform apply -auto-approve -no-color
+
+  post_build:
+    commands:
+      - |
+        if [ "${CODEBUILD_BUILD_SUCCEEDING}" = "0" ]; then
+          echo "Build FAILED — check logs above"
+        else
+          echo "Build SUCCEEDED — repository created"
+        fi