- Replace placeholder paths (environment/region/vpc/cluster/) with
  var.environment / var.region / var.cluster_config.vpc_name / var.name
  so managed_extra_files land in the correct Terragrunt hierarchy
- Change CSVD/terraform-github-repo source from SSH (git@) to HTTPS
  (git::https://) to work inside CodeBuild without SSH agent

Buildspec used by the 'eks-terragrunt-repo-creator' CodeBuild project
triggered by the Lambda function. Downloads Terraform from S3 assets bucket,
clones this repo using GITHUB_TOKEN env var, then runs:
  terraform init -no-color
  terraform apply -auto-approve -no-color
TF_VAR_* env vars are injected by the Lambda as CodeBuild environment
variable overrides.

The terraform-eks-deployment repo lives in SCT-Engineering, not CSVD.
CSVD would have caused git clone 404 in CodeBuild.

- Add REPO_BRANCH env var (currently fix/eca-copilot-instructions-and-callnotes)
  pointing to the branch with dynamic path fixes and HTTPS module source
- Pass --branch to git clone so CodeBuild checks out the right code
- Update REPO_BRANCH to 'main' once the fix branch is merged

terraform_1.9.0 zip was not in s3://csvd-packer-pipeline-assets/terraform/.
Uploaded terraform_1.9.1_linux_amd64.zip to that path from local tfenv install.
Public releases.hashicorp.com is blocked by Census network proxy.

…access

registry.terraform.io is blocked directly inside CodeBuild (Census network).
Must route through http://proxy.tco.census.gov:3128.
NO_PROXY excludes AWS-internal endpoints (.amazonaws.com) from proxy.

CSVD/terraform-github-repo module requires ~> 6.11; workspace had >= 6.6.0, < 6.7.0
which is incompatible. Lock file was pinned to 6.6.0 — delete so terraform init
regenerates it against the updated constraint.

The Census GHE TLS cert is signed by the Census internal CA which is not
present in the CodeBuild container trust store. insecure=true disables
x509 verification so terraform apply can call the GHE API.

- Download census-ca.pem from S3 assets bucket and add to Amazon Linux 2
  trust store via update-ca-trust during INSTALL phase
- Add github.e.it.census.gov to NO_PROXY so Terraform provider connects
  directly (not through proxy) and trusts Census CA chain
- Keep insecure=true in providers.tf as belt-and-suspenders

…hitecture

- Replace 'Lambda-Only Approach' and 'Do NOT suggest CodeBuild' sections
- Document full buildspec.yml runtime environment (proxy, CA cert, TF binary from S3)
- Add complete Key Resources table with CodeBuild projects and token sources
- Add Important Runtime Notes section with Census-specific networking requirements
- Update What NOT to Do section with correct guidance

The SC Product Deployment Methods section was near-identical to the
canonical version in lambda-template-repo-generator. Replace with a
concise cross-reference to keep a single source of truth.

…tion

Add scripts/rename_template_dirs.py (Python, httpx + rich) that calls the
GitHub API to delete environment/region/vpc/cluster/ placeholder paths from
the repo-init PR branch and re-add the eks-*/terragrunt.hcl files at their
correct computed paths:

  environment/region/vpc/cluster/eks-*/terragrunt.hcl
    → ${environment}/${region}/${vpc_name}/${cluster_name}/eks-*/terragrunt.hcl

Files already rendered by managed_extra_files (account.hcl, region.hcl,
vpc.hcl, cluster.hcl) are deleted from the placeholder paths but not
re-added — Terraform already wrote them with real values.

Controlled by var.run_in_codebuild (default false). buildspec.yml sets
TF_VAR_run_in_codebuild=true so the null_resource only runs in CodeBuild.

Also adds the null provider to providers.tf and pip3 install of httpx+rich
to the buildspec install phase.