feat: CodeBuild+Terraform runtime for EKS repo creation #17
+700
−22
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 13 commits
April 6, 2026 13:39
- Replace placeholder paths (environment/region/vpc/cluster/) with var.environment / var.region / var.cluster_config.vpc_name / var.name so managed_extra_files land in the correct Terragrunt hierarchy - Change CSVD/terraform-github-repo source from SSH (git@) to HTTPS (git::https://) to work inside CodeBuild without SSH agent
Buildspec used by the 'eks-terragrunt-repo-creator' CodeBuild project triggered by the Lambda function. Downloads Terraform from S3 assets bucket, clones this repo using GITHUB_TOKEN env var, then runs: terraform init -no-color terraform apply -auto-approve -no-color TF_VAR_* env vars are injected by the Lambda as CodeBuild environment variable overrides.
The terraform-eks-deployment repo lives in SCT-Engineering, not CSVD. CSVD would have caused git clone 404 in CodeBuild.
- Add REPO_BRANCH env var (currently fix/eca-copilot-instructions-and-callnotes) pointing to the branch with dynamic path fixes and HTTPS module source - Pass --branch to git clone so CodeBuild checks out the right code - Update REPO_BRANCH to 'main' once the fix branch is merged
terraform_1.9.0 zip was not in s3://csvd-packer-pipeline-assets/terraform/. Uploaded terraform_1.9.1_linux_amd64.zip to that path from local tfenv install. Public releases.hashicorp.com is blocked by Census network proxy.
…access registry.terraform.io is blocked directly inside CodeBuild (Census network). Must route through http://proxy.tco.census.gov:3128. NO_PROXY excludes AWS-internal endpoints (.amazonaws.com) from proxy.
CSVD/terraform-github-repo module requires ~> 6.11; workspace had >= 6.6.0, < 6.7.0 which is incompatible. Lock file was pinned to 6.6.0 — delete so terraform init regenerates it against the updated constraint.
The Census GHE TLS cert is signed by the Census internal CA which is not present in the CodeBuild container trust store. insecure=true disables x509 verification so terraform apply can call the GHE API.
- Download census-ca.pem from S3 assets bucket and add to Amazon Linux 2 trust store via update-ca-trust during INSTALL phase - Add github.e.it.census.gov to NO_PROXY so Terraform provider connects directly (not through proxy) and trusts Census CA chain - Keep insecure=true in providers.tf as belt-and-suspenders
…hitecture - Replace 'Lambda-Only Approach' and 'Do NOT suggest CodeBuild' sections - Document full buildspec.yml runtime environment (proxy, CA cert, TF binary from S3) - Add complete Key Resources table with CodeBuild projects and token sources - Add Important Runtime Notes section with Census-specific networking requirements - Update What NOT to Do section with correct guidance
The SC Product Deployment Methods section was near-identical to the canonical version in lambda-template-repo-generator. Replace with a concise cross-reference to keep a single source of truth.
morga471
reviewed
Apr 20, 2026
morga471
reviewed
Apr 20, 2026
…tion
Add scripts/rename_template_dirs.py (Python, httpx + rich) that calls the
GitHub API to delete environment/region/vpc/cluster/ placeholder paths from
the repo-init PR branch and re-add the eks-*/terragrunt.hcl files at their
correct computed paths:
environment/region/vpc/cluster/eks-*/terragrunt.hcl
→ ${environment}/${region}/${vpc_name}/${cluster_name}/eks-*/terragrunt.hcl
Files already rendered by managed_extra_files (account.hcl, region.hcl,
vpc.hcl, cluster.hcl) are deleted from the placeholder paths but not
re-added — Terraform already wrote them with real values.
Controlled by var.run_in_codebuild (default false). buildspec.yml sets
TF_VAR_run_in_codebuild=true so the null_resource only runs in CodeBuild.
Also adds the null provider to providers.tf and pip3 install of httpx+rich
to the buildspec install phase.
Sign in
to join this conversation on GitHub.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This workspace is executed by the
eks-terragrunt-repo-creatorCodeBuild project (triggered by the ECA Lambda) to create EKS cluster GitHub repositories via Terraform.Changes
buildspec.ymlhashicorp.comblocked on Census), installs Census CA cert viaupdate-ca-trustHTTPS_PROXY/HTTP_PROXYforregistry.terraform.ioprovider downloadsgithub.e.it.census.govtoNO_PROXYfor direct GHE connectionsGIT_SSL_NO_VERIFY=trueas belt-and-suspendersproviders.tf>= 6.11.0(required by CSVD module's~> 6.11constraint)provider "github" { insecure = true }for Census GHE TLSvariables.tf/locals.tfcluster_configas JSON-encoded string from CodeBuild env vars.github/copilot-instructions.mdghe-runner/github-token) for Terraform; App token for Lambdacallnotes.mdRuntime Environment
Test Result
sc-e2e-test-20260407-1402— ✔ PASS (207s)