evert/iac-duplicate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add complete SACC v4 infrastructure project

Browse Source 
- Terraform modules: VPC, EC2, RDS, S3, CloudFront, Route53, Lambda, IAM, Security Groups
- Ansible playbooks for server configuration
- Scripts: create-test-environment.sh, destroy-test-environment.sh, validate-environment.sh
- Documentation: README, QUICKSTART, AGENTS
- Jenkins pipeline for automated deployment
- Jenkins pipeline for environment destruction
This commit is contained in:
Jenkins CI
2026-06-03 04:39:01 +00:00
commit 71be2abd2e
27 changed files with 6424 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
terraform/bootstrap.tf
+38
View File
@@ -0,0 +1,38 @@
# Backend Bootstrap - Bucket S3 y DynamoDB para Estado Terraform
# ================================================================
# Ejecutar PRIMERO antes de terraform init:
# aws s3api create-bucket --bucket sacc4-terraform-state-test --region mx-central-1
# aws dynamodb create-table --table-name sacc4-terraform-locks-test \
# --attribute-definitions AttributeName=LockID,AttributeType=S \
# --key-schema AttributeName=LockID,KeyType=HASH \
# --billing-mode PAY_PER_REQUEST
resource "aws_s3_bucket" "terraform_state" {
bucket = "sacc4-terraform-state-${var.environment}"
}
resource "aws_s3_bucket_versioning" "terraform_state" {
bucket = aws_s3_bucket.terraform_state.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "terraform_state" {
bucket = aws_s3_bucket.terraform_state.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_dynamodb_table" "terraform_locks" {
name = "sacc4-terraform-locks-${var.environment}"
billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID"
attribute {
name = "LockID"
type = "S"
}
}
terraform/environments/prod/terraform.tfvars
+32
View File
@@ -0,0 +1,32 @@
# Variables de entorno para PRODUCCION
# ====================================
# Archivo: environments/prod/terraform.tfvars
environment = "prod"
aws_region = "mx-central-1"
# VPC - Igual a produccion actual
vpc_cidr = "10.2.0.0/16"
availability_zones = ["mx-central-1a", "mx-central-1b"]
# EC2
ami_id = "ami-0f553e2869648134e" # Ubuntu 22.04 LTS
instance_type = "t3.small"
key_name = "sacc4-prod-key"
# IP restringida (solo VPN u oficina)
my_ip = "TU_IP_O_VPN_AQUI/32"
# RDS
db_name = "sacc4_prod"
db_username = "sacc4_admin"
db_password = "PasswordSeguraProduccion123!"
rds_instance_class = "db.t3.micro"
rds_allocated_storage = 20
# S3 / CloudFront / Route53
s3_bucket_name = "sacc4-frontend-prod-ccsoft"
domain_name = "prod-sacc.ccsoft.mx"
# Certificado SSL (ARN real de ACM)
certificate_arn = "arn:aws:acm:mx-central-1:523761210517:certificate/EXISTENTE"
terraform/environments/test/main.tf
+339
View File
@@ -0,0 +1,339 @@
# =============================================================================
# SACC v4 - Entorno TEST en Cuenta 668889063715
# =============================================================================
# DUPLICA la infraestructura de produccion usando los modulos PRODUCCION
# probados de terraform-sacc4/
#
# IMPORTANTE: Este archivo usa los modulos de produccion para garantizar
# que el entorno de test sea IDENTICO al de produccion.
#
# Uso:
# 1. cp terraform.tfvars.example terraform.tfvars
# 2. Editar terraform.tfvars con valores reales
# 3. terraform init
# 4. terraform plan
# 5. terraform apply
# =============================================================================
terraform {
required_version = ">= 1.5.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.0"
}
}
# Backend S3 para estado (bucket creado por bootstrap)
backend "s3" {
bucket = "sacc4-terraform-state-test-668889063715"
key = "sacc4-test/infrastructure/terraform.tfstate"
region = "mx-central-1"
encrypt = true
dynamodb_table = "sacc4-terraform-locks-test-668889063715"
}
}
# Provider AWS - Región Mexico (mx-central-1)
provider "aws" {
region = var.aws_region
default_tags {
tags = {
Project = "sacc4"
Environment = "test"
ManagedBy = "terraform"
Owner = "infra-team"
AccountId = "668889063715"
CostCenter = "test-environment"
}
}
}
# Provider AWS para ACM (us-east-1 requerido por CloudFront)
provider "aws" {
alias = "us_east_1"
region = "us-east-1"
default_tags {
tags = {
Project = "sacc4"
Environment = "test"
ManagedBy = "terraform"
}
}
}
# =============================================================================
# DATOS
# =============================================================================
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
# =============================================================================
# LOCALES
# =============================================================================
locals {
name_prefix = "${var.project_name}-test"
common_tags = {
Project = var.project_name
Environment = "test"
ManagedBy = "terraform"
}
}
# =============================================================================
# MODULOS DE INFRAESTRUCTURA (usando modulos de produccion)
# =============================================================================
module "vpc" {
source = "../../../../terraform-sacc4/modules/vpc"
name_prefix = local.name_prefix
vpc_cidr = var.vpc_cidr
availability_zones = var.availability_zones
public_subnet_cidrs = var.public_subnet_cidrs
private_subnet_cidrs = var.private_subnet_cidrs
tags = local.common_tags
}
module "security_groups" {
source = "../../../../terraform-sacc4/modules/security-groups"
name_prefix = local.name_prefix
vpc_id = module.vpc.vpc_id
vpc_cidr = module.vpc.vpc_cidr
ssh_allowed_cidrs = var.ssh_allowed_cidrs
tags = local.common_tags
}
module "iam" {
source = "../../../../terraform-sacc4/modules/iam"
name_prefix = local.name_prefix
tags = local.common_tags
}
module "ec2" {
source = "../../../../terraform-sacc4/modules/ec2"
name_prefix = local.name_prefix
instance_type = var.ec2_instance_type
ami = var.ec2_ami
subnet_id = module.vpc.public_subnet_ids[0]
security_group_ids = [module.security_groups.ec2_security_group_id]
root_volume_size = var.ec2_root_volume_size
root_volume_type = var.ec2_root_volume_type
root_volume_encrypted = var.ec2_root_volume_encrypted
thoth_public_key = var.thoth_public_key
osiris_public_key = var.osiris_public_key
rds_endpoint = module.rds.rds_endpoint
rds_db_name = var.rds_db_name
rds_app_username = "sacc_app_user"
rds_app_password = var.rds_master_password
tags = local.common_tags
}
module "rds" {
source = "../../../../terraform-sacc4/modules/rds"
name_prefix = local.name_prefix
instance_class = var.rds_instance_class
engine = var.rds_engine
engine_version = var.rds_engine_version
allocated_storage = var.rds_allocated_storage
max_allocated_storage = var.rds_max_allocated_storage
db_name = var.rds_db_name
master_username = var.rds_master_username
master_password = var.rds_master_password
backup_retention_period = var.rds_backup_retention_period
backup_window = var.rds_backup_window
maintenance_window = var.rds_maintenance_window
subnet_ids = module.vpc.private_subnet_ids
security_group_ids = [module.security_groups.rds_security_group_id]
enable_replica = false
tags = local.common_tags
}
module "lambda_scheduler" {
source = "../../../../terraform-sacc4/modules/lambda-scheduler"
count = var.enable_scheduling ? 1 : 0
name_prefix = local.name_prefix
ec2_instance_id = module.ec2.instance_id
rds_instance_id = module.rds.db_instance_identifier
schedule_timezone = var.schedule_timezone
schedule_start_cron = var.schedule_start_cron
schedule_stop_cron = var.schedule_stop_cron
lambda_role_arn = module.iam.lambda_scheduler_role_arn
scheduler_role_arn = module.iam.eventbridge_scheduler_role_arn
tags = local.common_tags
}
module "s3_cloudfront" {
source = "../../../../terraform-sacc4/modules/s3-cloudfront"
name_prefix = local.name_prefix
bucket_name = var.frontend_bucket_name
cloudfront_price_class = var.cloudfront_price_class
enable_logging = var.enable_cloudfront_logging
domain_name = var.domain_name
tags = local.common_tags
}
module "route53" {
source = "../../../../terraform-sacc4/modules/route53"
name_prefix = local.name_prefix
domain_name = var.domain_name
api_subdomain = var.api_subdomain
api_public_ip = module.ec2.public_ip
cloudfront_domain = module.s3_cloudfront.cloudfront_domain_name
cloudfront_zone_id = module.s3_cloudfront.cloudfront_hosted_zone_id
tags = local.common_tags
}
# =============================================================================
# OUTPUTS
# =============================================================================
output "vpc_id" {
description = "ID de la VPC creada"
value = module.vpc.vpc_id
}
output "public_subnet_ids" {
description = "IDs de subnets publicas"
value = module.vpc.public_subnet_ids
}
output "private_subnet_ids" {
description = "IDs de subnets privadas"
value = module.vpc.private_subnet_ids
}
output "ec2_instance_id" {
description = "ID de la instancia EC2"
value = module.ec2.instance_id
}
output "ec2_public_ip" {
description = "IP publica de la instancia EC2"
value = module.ec2.public_ip
}
output "ec2_private_ip" {
description = "IP privada de la instancia EC2"
value = module.ec2.private_ip
}
output "rds_endpoint" {
description = "Endpoint de la base de datos RDS"
value = module.rds.rds_endpoint
sensitive = true
}
output "rds_port" {
description = "Puerto de la base de datos RDS"
value = module.rds.rds_port
}
output "rds_db_name" {
description = "Nombre de la base de datos"
value = module.rds.db_name
}
output "frontend_bucket_name" {
description = "Nombre del bucket S3 del frontend"
value = module.s3_cloudfront.bucket_name
}
output "cloudfront_domain_name" {
description = "Dominio de CloudFront"
value = module.s3_cloudfront.cloudfront_domain_name
}
output "cloudfront_distribution_id" {
description = "ID de la distribucion CloudFront"
value = module.s3_cloudfront.distribution_id
}
output "api_gateway_url" {
description = "URL del API Gateway"
value = "https://${var.api_subdomain}"
}
output "frontend_url" {
description = "URL del frontend"
value = "https://${var.domain_name}"
}
output "lambda_start_function_name" {
description = "Nombre de la funcion Lambda de inicio"
value = var.enable_scheduling ? module.lambda_scheduler[0].start_function_name : null
}
output "lambda_stop_function_name" {
description = "Nombre de la funcion Lambda de apagado"
value = var.enable_scheduling ? module.lambda_scheduler[0].stop_function_name : null
}
output "route53_api_record" {
description = "Nombre del registro DNS para API"
value = module.route53.api_record_name
}
output "route53_frontend_record" {
description = "Nombre del registro DNS para frontend"
value = module.route53.frontend_record_name
}
output "route53_zone_id" {
description = "ID de la zona Route53"
value = module.route53.hosted_zone_id
}
output "ansible_inventory" {
description = "Inventario Ansible generado dinamicamente"
value = <<-EOT
[sacc4-test]
${module.ec2.public_ip} ansible_user=ubuntu ansible_ssh_private_key_file=~/.ssh/sacc4-test-key.pem
[sacc4-test:vars]
ansible_python_interpreter=/usr/bin/python3
environment=test
db_endpoint=${module.rds.rds_endpoint}
s3_bucket=${module.s3_cloudfront.bucket_name}
cloudfront_domain=${module.s3_cloudfront.cloudfront_domain_name}
EOT
sensitive = false
}
output "deployment_commands" {
description = "Comandos para desplegar la aplicacion"
value = <<-EOT
# =============================================================================
# COMANDOS POST-DESPLIEGUE - SACC v4 TEST
# =============================================================================
# Conectar a la instancia
ssh -i ~/.ssh/sacc4-test-key.pem ubuntu@${module.ec2.public_ip}
# Verificar servicios
ssh -i ~/.ssh/sacc4-test-key.pem ubuntu@${module.ec2.public_ip} "sudo systemctl status nginx"
ssh -i ~/.ssh/sacc4-test-key.pem ubuntu@${module.ec2.public_ip} "sudo systemctl status api-sacc4-*"
# Verificar health checks
ssh -i ~/.ssh/sacc4-test-key.pem ubuntu@${module.ec2.public_ip} "curl -s http://localhost:8080/actuator/health"
ssh -i ~/.ssh/sacc4-test-key.pem ubuntu@${module.ec2.public_ip} "curl -s http://localhost:8081/actuator/health"
# Base de datos
mysql -h ${module.rds.rds_endpoint} -u sacc_app_user -p -e "SELECT 1;"
EOT
}
terraform/environments/test/terraform.tfvars
+98
View File
@@ -0,0 +1,98 @@
# =============================================================================
# VARIABLES DE ENTORNO TEST - SACC v4
# Cuenta AWS: 668889063715
# =============================================================================
# =============================================================================
# GENERALES
# =============================================================================
aws_region = "mx-central-1"
environment = "test"
project_name = "sacc4"
# =============================================================================
# DOMINIO Y DNS
# =============================================================================
# Dominio principal para el entorno de test
# NOTA: Asegurate de que este dominio exista en Route53 de la cuenta 668889063715
domain_name = "test-sacc.ccsoft.mx"
api_subdomain = "api.test-sacc.ccsoft.mx"
# =============================================================================
# NETWORKING
# =============================================================================
# CIDR que NO choque con produccion (10.2.0.0/16) ni otros entornos
vpc_cidr = "10.3.0.0/16"
availability_zones = ["mx-central-1a", "mx-central-1b"]
public_subnet_cidrs = ["10.3.1.0/24", "10.3.2.0/24"]
private_subnet_cidrs = ["10.3.10.0/24", "10.3.11.0/24"]
# =============================================================================
# EC2 CONFIGURATION
# =============================================================================
ec2_instance_type = "t3.small"
ec2_ami = "ami-0f553e2869648134e"
ec2_root_volume_size = 8
ec2_root_volume_type = "gp2"
ec2_root_volume_encrypted = true
# SSH - RESTRINGIR a tu IP publica o rangos de oficina/VPN
# Ejemplo: ["203.0.113.0/24"] para oficina, ["10.8.0.0/24"] para VPN
# WARNING: [] vacio usa solo VPC CIDR (mas seguro)
ssh_allowed_cidrs = []
# Llaves SSH publicas para acceso
# Generar par de llaves: ssh-keygen -t ed25519 -f sacc4-test-key -C "sacc4-test"
thoth_public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/RcJmEYOBpfq1tSLltV1pyNB55l1jA2zYr5ZNJ0f41 thoth@ccsoft"
osiris_public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFo6CycfgIuCCSVZbhuPwqlAVDxY8YWb1xpvpqxSzMjR osiris@ccsoft"
# =============================================================================
# RDS CONFIGURATION
# =============================================================================
rds_instance_class = "db.t3.micro"
rds_engine = "mariadb"
rds_engine_version = "10.11.16"
rds_allocated_storage = 20
rds_max_allocated_storage = 100
rds_db_name = "ccsoft_sacc4_test"
rds_master_username = "sacc_admin_test"
rds_master_password = "CambiarEstaPassword123!Segura"
rds_backup_retention_period = 7
rds_backup_window = "03:00-04:00"
rds_maintenance_window = "Mon:04:00-Mon:05:00"
# =============================================================================
# SCHEDULING (apagado automatico para ahorrar costos en test)
# =============================================================================
enable_scheduling = true
schedule_timezone = "America/Mexico_City"
schedule_start_cron = "cron(0 13 ? * MON-FRI *)"
schedule_stop_cron = "cron(0 0 ? * TUE-SAT *)"
# =============================================================================
# FRONTEND (S3 + CloudFront)
# =============================================================================
# Nombre unico global del bucket S3
frontend_bucket_name = "sacc4-frontend-test-668889063715"
cloudfront_price_class = "PriceClass_100"
enable_cloudfront_logging = false
# =============================================================================
# TAGS COMUNES
# =============================================================================
common_tags = {
Project = "proyectosacc"
ManagedBy = "terraform"
Team = "infra"
Purpose = "test-environment"
}
terraform/environments/test/variables.tf
+222
View File
@@ -0,0 +1,222 @@
# =============================================================================
# VARIABLES - Entorno TEST SACC v4
# =============================================================================
variable "aws_region" {
description = "Region AWS para despliegue"
type = string
default = "mx-central-1"
}
variable "environment" {
description = "Ambiente (test)"
type = string
default = "test"
}
variable "project_name" {
description = "Nombre del proyecto"
type = string
default = "sacc4"
}
variable "domain_name" {
description = "Dominio principal"
type = string
default = "test-sacc.ccsoft.mx"
}
variable "api_subdomain" {
description = "Subdominio para API"
type = string
default = "api.test-sacc.ccsoft.mx"
}
variable "vpc_cidr" {
description = "CIDR block para VPC"
type = string
default = "10.3.0.0/16"
}
variable "availability_zones" {
description = "Zonas de disponibilidad"
type = list(string)
default = ["mx-central-1a", "mx-central-1b"]
}
variable "public_subnet_cidrs" {
description = "CIDRs para subnets publicas"
type = list(string)
default = ["10.3.1.0/24", "10.3.2.0/24"]
}
variable "private_subnet_cidrs" {
description = "CIDRs para subnets privadas"
type = list(string)
default = ["10.3.10.0/24", "10.3.11.0/24"]
}
variable "ec2_instance_type" {
description = "Tipo de instancia EC2"
type = string
default = "t3.small"
}
variable "ec2_ami" {
description = "AMI ID de Ubuntu 22.04 LTS en mx-central-1"
type = string
default = "ami-0f553e2869648134e"
}
variable "ec2_root_volume_size" {
description = "Tamanio del volumen root en GB"
type = number
default = 8
}
variable "ec2_root_volume_type" {
description = "Tipo de volumen root"
type = string
default = "gp2"
}
variable "ec2_root_volume_encrypted" {
description = "Volumen encriptado"
type = bool
default = true
}
variable "ssh_allowed_cidrs" {
description = "Lista de CIDRs permitidos para SSH"
type = list(string)
default = []
}
variable "rds_instance_class" {
description = "Clase de instancia RDS"
type = string
default = "db.t3.micro"
}
variable "rds_engine" {
description = "Motor de base de datos"
type = string
default = "mariadb"
}
variable "rds_engine_version" {
description = "Version del motor"
type = string
default = "10.11.16"
}
variable "rds_allocated_storage" {
description = "Almacenamiento asignado en GB"
type = number
default = 20
}
variable "rds_max_allocated_storage" {
description = "Almacenamiento maximo para autoscaling"
type = number
default = 100
}
variable "rds_db_name" {
description = "Nombre de la base de datos"
type = string
default = "ccsoft_sacc4_test"
}
variable "rds_master_username" {
description = "Usuario master de RDS"
type = string
default = "sacc_admin_test"
sensitive = true
}
variable "rds_master_password" {
description = "Contrasena master de RDS"
type = string
sensitive = true
}
variable "rds_backup_retention_period" {
description = "Periodo de retencion de backups en dias"
type = number
default = 7
}
variable "rds_backup_window" {
description = "Ventana de backup"
type = string
default = "03:00-04:00"
}
variable "rds_maintenance_window" {
description = "Ventana de mantenimiento"
type = string
default = "Mon:04:00-Mon:05:00"
}
variable "enable_scheduling" {
description = "Habilitar scheduling horario"
type = bool
default = true
}
variable "schedule_timezone" {
description = "Zona horaria"
type = string
default = "America/Mexico_City"
}
variable "schedule_start_cron" {
description = "Expresion cron para inicio"
type = string
default = "cron(0 13 ? * MON-FRI *)"
}
variable "schedule_stop_cron" {
description = "Expresion cron para apagado"
type = string
default = "cron(0 0 ? * TUE-SAT *)"
}
variable "frontend_bucket_name" {
description = "Nombre del bucket S3"
type = string
default = "sacc4-frontend-test-668889063715"
}
variable "cloudfront_price_class" {
description = "Clase de precio de CloudFront"
type = string
default = "PriceClass_100"
}
variable "enable_cloudfront_logging" {
description = "Habilitar logging de CloudFront"
type = bool
default = false
}
variable "thoth_public_key" {
description = "Llave publica SSH para thoth"
type = string
}
variable "osiris_public_key" {
description = "Llave publica SSH para osiris"
type = string
}
variable "common_tags" {
description = "Tags comunes"
type = map(string)
default = {
Project = "proyectosacc"
ManagedBy = "terraform"
Team = "infra"
}
}
terraform/main.tf
+205
View File
@@ -0,0 +1,205 @@
# SACC v4 - Duplicación de Infraestructura de Producción
# ======================================================
# Este script Terraform duplica el entorno PROD de SACC v4
# en una nueva cuenta AWS de pruebas.
#
# USO:
# 1. Copiar terraform.tfvars.example a terraform.tfvars
# 2. Completar variables con valores de la nueva cuenta
# 3. terraform init
# 4. terraform plan
# 5. terraform apply
#
# NO EJECUTAR EN PRODUCCIÓN - Solo para entornos de prueba
terraform {
required_version = ">= 1.5.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
# Backend S3 para estado (crear bucket primero)
backend "s3" {
bucket = "sacc4-terraform-state-test"
key = "sacc4-test/terraform.tfstate"
region = "mx-central-1"
encrypt = true
dynamodb_table = "sacc4-terraform-locks-test"
}
}
# Provider AWS - Región México
provider "aws" {
region = var.aws_region
default_tags {
tags = {
Project = "SACC-v4"
Environment = var.environment
ManagedBy = "Terraform"
CreatedDate = timestamp()
}
}
}
# ======================================================
# MÓDULOS DE INFRAESTRUCTURA
# ======================================================
module "vpc" {
source = "./modules/vpc"
vpc_cidr = var.vpc_cidr
environment = var.environment
availability_zones = var.availability_zones
}
module "security_groups" {
source = "./modules/security-groups"
vpc_id = module.vpc.vpc_id
environment = var.environment
my_ip = var.my_ip
}
module "iam" {
source = "./modules/iam"
environment = var.environment
account_id = data.aws_caller_identity.current.account_id
}
module "ec2" {
source = "./modules/ec2"
ami_id = var.ami_id
instance_type = var.instance_type
subnet_id = module.vpc.public_subnet_ids[0]
security_group_ids = [module.security_groups.ec2_sg_id]
key_name = var.key_name
environment = var.environment
associate_public_ip = true
user_data = file("${path.module}/scripts/ec2-user-data.sh")
iam_instance_profile = module.iam.ec2_instance_profile_name
}
module "rds" {
source = "./modules/rds"
subnet_ids = module.vpc.private_subnet_ids
security_group_id = module.security_groups.rds_sg_id
db_name = var.db_name
db_username = var.db_username
db_password = var.db_password
instance_class = var.rds_instance_class
allocated_storage = var.rds_allocated_storage
environment = var.environment
}
module "s3_cloudfront" {
source = "./modules/s3-cloudfront"
bucket_name = var.s3_bucket_name
environment = var.environment
domain_name = var.domain_name
certificate_arn = var.certificate_arn
}
module "route53" {
source = "./modules/route53"
domain_name = var.domain_name
ec2_public_ip = module.ec2.public_ip
cloudfront_domain = module.s3_cloudfront.cloudfront_domain_name
cloudfront_zone_id = module.s3_cloudfront.cloudfront_hosted_zone_id
}
module "lambda_scheduler" {
source = "./modules/lambda-scheduler"
environment = var.environment
ec2_instance_id = module.ec2.instance_id
}
# ======================================================
# DATOS
# ======================================================
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
# ======================================================
# OUTPUTS
# ======================================================
output "vpc_id" {
description = "ID de la VPC creada"
value = module.vpc.vpc_id
}
output "ec2_public_ip" {
description = "IP pública de la instancia EC2"
value = module.ec2.public_ip
}
output "ec2_private_ip" {
description = "IP privada de la instancia EC2"
value = module.ec2.private_ip
}
output "rds_endpoint" {
description = "Endpoint de la base de datos RDS"
value = module.rds.endpoint
sensitive = true
}
output "s3_bucket_name" {
description = "Nombre del bucket S3 para frontend"
value = module.s3_cloudfront.bucket_name
}
output "cloudfront_domain" {
description = "Dominio de CloudFront"
value = module.s3_cloudfront.cloudfront_domain_name
}
output "route53_nameservers" {
description = "Nameservers de Route53"
value = module.route53.nameservers
}
output "ansible_inventory" {
description = "Inventario Ansible generado dinámicamente"
value = <<-EOT
[sacc4-test]
${module.ec2.public_ip} ansible_user=ubuntu ansible_ssh_private_key_file=~/.ssh/${var.key_name}.pem
[sacc4-test:vars]
ansible_python_interpreter=/usr/bin/python3
environment=${var.environment}
db_endpoint=${module.rds.endpoint}
s3_bucket=${module.s3_cloudfront.bucket_name}
EOT
sensitive = false
}
output "deployment_commands" {
description = "Comandos para desplegar la aplicación"
value = <<-EOT
# Conectar a la instancia
ssh -i ~/.ssh/${var.key_name}.pem ubuntu@${module.ec2.public_ip}
# Verificar servicios
systemctl status nginx
systemctl status api-sacc4-*
# Verificar health checks
curl http://localhost:8080/actuator/health
curl http://localhost:8081/actuator/health
curl http://localhost:8082/actuator/health
EOT
}
terraform/modules/ec2/main.tf
+42
View File
@@ -0,0 +1,42 @@
variable "ami_id" {}
variable "instance_type" { default = "t3.small" }
variable "subnet_id" {}
variable "security_group_ids" { type = list(string) }
variable "key_name" {}
variable "environment" {}
variable "associate_public_ip" { default = true }
variable "user_data" { default = "" }
variable "iam_instance_profile" { default = "" }
resource "aws_instance" "main" {
ami = var.ami_id
instance_type = var.instance_type
subnet_id = var.subnet_id
vpc_security_group_ids = var.security_group_ids
key_name = var.key_name
associate_public_ip_address = var.associate_public_ip
user_data = var.user_data
iam_instance_profile = var.iam_instance_profile
root_block_device {
volume_size = 8
volume_type = "gp2"
encrypted = true
delete_on_termination = true
}
tags = {
Name = "sacc4-ec2-${var.environment}"
Environment = var.environment
}
}
resource "aws_eip" "main" {
instance = aws_instance.main.id
domain = "vpc"
tags = { Name = "sacc4-eip-${var.environment}" }
}
output "instance_id" { value = aws_instance.main.id }
output "public_ip" { value = aws_eip.main.public_ip }
output "private_ip" { value = aws_instance.main.private_ip }
terraform/modules/iam/main.tf
+54
View File
@@ -0,0 +1,54 @@
variable "environment" {}
variable "account_id" {}
resource "aws_iam_role" "ec2_role" {
name = "sacc4-ec2-role-${var.environment}"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "ec2.amazonaws.com" }
}]
})
}
resource "aws_iam_role_policy" "ec2_policy" {
name = "sacc4-ec2-policy-${var.environment}"
role = aws_iam_role.ec2_role.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
]
Resource = [
"arn:aws:s3:::sacc4-*",
"arn:aws:s3:::sacc4-*/*"
]
},
{
Effect = "Allow"
Action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
Resource = "arn:aws:logs:*:*:log-group:/sacc4/*"
}
]
})
}
resource "aws_iam_instance_profile" "ec2_profile" {
name = "sacc4-ec2-profile-${var.environment}"
role = aws_iam_role.ec2_role.name
}
output "ec2_instance_profile_name" {
value = aws_iam_instance_profile.ec2_profile.name
}
terraform/modules/rds/main.tf
+48
View File
@@ -0,0 +1,48 @@
variable "subnet_ids" { type = list(string) }
variable "security_group_id" {}
variable "db_name" {}
variable "db_username" {}
variable "db_password" { sensitive = true }
variable "instance_class" { default = "db.t3.micro" }
variable "allocated_storage" { default = 20 }
variable "environment" {}
resource "aws_db_subnet_group" "main" {
name = "sacc4-rds-subnet-${var.environment}"
subnet_ids = var.subnet_ids
tags = { Name = "sacc4-rds-subnet-${var.environment}" }
}
resource "aws_db_instance" "main" {
identifier = "sacc4-${var.environment}"
engine = "mariadb"
engine_version = "10.11.16"
instance_class = var.instance_class
allocated_storage = var.allocated_storage
storage_type = "gp2"
storage_encrypted = true
db_name = var.db_name
username = var.db_username
password = var.db_password
db_subnet_group_name = aws_db_subnet_group.main.name
vpc_security_group_ids = [var.security_group_id]
publicly_accessible = false
skip_final_snapshot = true
backup_retention_period = 7
backup_window = "00:01-00:31"
tags = {
Name = "sacc4-rds-${var.environment}"
Environment = var.environment
}
}
output "endpoint" {
value = aws_db_instance.main.endpoint
sensitive = true
}
output "db_name" { value = aws_db_instance.main.db_name }
terraform/modules/security-groups/main.tf
+80
View File
@@ -0,0 +1,80 @@
variable "vpc_id" {}
variable "environment" {}
variable "my_ip" {}
resource "aws_security_group" "ec2" {
name = "sacc4-ec2-sg-${var.environment}"
description = "Security group para instancia EC2 SACC4"
vpc_id = var.vpc_id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [var.my_ip]
description = "SSH desde IP autorizada"
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "HTTP"
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "HTTPS"
}
ingress {
from_port = 8080
to_port = 8085
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
description = "APIs internas"
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = { Name = "sacc4-ec2-sg-${var.environment}" }
}
resource "aws_security_group" "rds" {
name = "sacc4-rds-sg-${var.environment}"
description = "Security group para RDS MariaDB"
vpc_id = var.vpc_id
ingress {
from_port = 3306
to_port = 3306
protocol = "tcp"
security_groups = [aws_security_group.ec2.id]
description = "MariaDB desde EC2"
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = { Name = "sacc4-rds-sg-${var.environment}" }
}
resource "aws_vpc" "main" {
cidr_block = "10.3.0.0/16"
}
output "ec2_sg_id" { value = aws_security_group.ec2.id }
output "rds_sg_id" { value = aws_security_group.rds.id }
terraform/modules/vpc/main.tf
+51
View File
@@ -0,0 +1,51 @@
variable "vpc_cidr" {}
variable "environment" {}
variable "availability_zones" { type = list(string) }
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr
enable_dns_hostnames = true
enable_dns_support = true
tags = { Name = "sacc4-vpc-${var.environment}" }
}
resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = { Name = "sacc4-igw-${var.environment}" }
}
resource "aws_subnet" "public" {
count = 2
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 8, count.index + 1)
availability_zone = var.availability_zones[count.index]
map_public_ip_on_launch = true
tags = { Name = "sacc4-public-${count.index + 1}-${var.environment}" }
}
resource "aws_subnet" "private" {
count = 2
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 8, count.index + 11)
availability_zone = var.availability_zones[count.index]
tags = { Name = "sacc4-private-${count.index + 1}-${var.environment}" }
}
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main.id
}
tags = { Name = "sacc4-public-rt-${var.environment}" }
}
resource "aws_route_table_association" "public" {
count = 2
subnet_id = aws_subnet.public[count.index].id
route_table_id = aws_route_table.public.id
}
output "vpc_id" { value = aws_vpc.main.id }
output "public_subnet_ids" { value = aws_subnet.public[*].id }
output "private_subnet_ids" { value = aws_subnet.private[*].id }
terraform/scripts/ec2-user-data.sh
+98
View File
@@ -0,0 +1,98 @@
#!/bin/bash
# User Data para instancia EC2 SACC v4
# =====================================
# Este script se ejecuta al inicio de la instancia
set -e
# Actualizar sistema
echo "Actualizando sistema..."
apt-get update -y
apt-get upgrade -y
# Instalar dependencias base
echo "Instalando dependencias..."
apt-get install -y \
openjdk-21-jdk \
nginx \
unzip \
jq \
net-tools \
htop \
logrotate \
curl \
wget \
git \
python3 \
python3-pip \
ansible \
awscli
# Crear usuarios y grupos
echo "Configurando usuarios..."
groupadd -g 1006 duat || true
useradd -u 997 -g duat -s /bin/bash -m osiris || true
useradd -u 1001 -g duat -s /bin/bash -m thoth || true
# Crear directorios
echo "Creando directorios..."
mkdir -p /opt/sacc4
mkdir -p /var/log/sacc4
mkdir -p /etc/sacc4
mkdir -p /var/www/html
# Configurar permisos
chown -R thoth:duat /opt/sacc4
chmod 2775 /opt/sacc4
# Configurar SSH
echo "Configurando SSH..."
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config
systemctl restart sshd
# Configurar UFW
echo "Configurando firewall..."
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 8080:8085/tcp
ufw --force enable
# Instalar CloudWatch agent
echo "Instalando CloudWatch agent..."
wget https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
dpkg -i amazon-cloudwatch-agent.deb
rm amazon-cloudwatch-agent.deb
# Crear configuración de CloudWatch
cat > /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json <<'EOF'
{
"metrics": {
"namespace": "SACC4",
"metrics_collected": {
"cpu": { "measurement": ["cpu_usage_idle", "cpu_usage_user"], "metrics_collection_interval": 60 },
"mem": { "measurement": ["mem_used_percent"], "metrics_collection_interval": 60 },
"disk": { "measurement": ["disk_used_percent"], "resources": ["/"], "metrics_collection_interval": 60 }
}
},
"logs": {
"logs_collected": {
"files": {
"collect_list": [
{ "file_path": "/var/log/sacc4/*/*.log", "log_group_name": "sacc4-application-logs", "log_stream_name": "{instance_id}" }
]
}
}
}
}
EOF
# Iniciar CloudWatch agent
/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json
echo "Configuración base completada!"
echo "IP privada: $(hostname -I | awk '{print $1}')"
echo "Esperando despliegue de aplicación..."
terraform/terraform.tfvars.example
+355
View File
@@ -0,0 +1,355 @@
# =============================================================================
# TERRAFORM.TFVARS.EXAMPLE - SACC v4
# =============================================================================
# Plantilla unificada para despliegue de infraestructura SACC v4
# en entornos TEST y PRODUCCION usando Terraform Workspaces.
#
# INSTRUCCIONES:
# 1. Copiar este archivo: cp terraform.tfvars.example terraform.tfvars
# 2. Completar las variables marcadas como [REQUERIDO]
# 3. Seleccionar workspace: terraform workspace select test|prod
# 4. terraform init
# 5. terraform plan
# 6. terraform apply
#
# CUENTAS AWS:
# TEST: 668889063715 (mx-central-1)
# PROD: 523761210517 (mx-central-1)
#
# NOTA DE SEGURIDAD:
# - NUNCA commitear terraform.tfvars (esta en .gitignore)
# - Las contrasenas deben tener minimo 16 caracteres
# - Restringir SSH a IPs especificas (no usar 0.0.0.0/0)
# =============================================================================
# =============================================================================
# SECCION 1: CONFIGURACION GENERAL
# =============================================================================
# Entorno de despliegue. Terraform workspace DEBE coincidir con este valor.
# Valores permitidos: "test", "prod"
# TEST: "test" (cuenta 668889063715)
# PROD: "prod" (cuenta 523761210517)
# [REQUERIDO] - No tiene valor por defecto para evitar errores accidentales
environment = "test"
# Nombre del proyecto (usado como prefijo en recursos)
# Valor por defecto: "sacc4"
project_name = "sacc4"
# Region AWS para despliegue
# NOTA: mx-central-1 es la unica region disponible para ambas cuentas
# Valor por defecto: "mx-central-1"
aws_region = "mx-central-1"
# =============================================================================
# SECCION 2: DOMINIO Y DNS (Route53)
# =============================================================================
# Dominio principal para la aplicacion
# TEST: "dev-sacc.ccsoft.mx"
# PROD: "sacc.ccsoft.mx"
# [REQUERIDO] - Debe existir como Hosted Zone en Route53 de la cuenta
# correspondiente ANTES de ejecutar terraform apply
domain_name = "dev-sacc.ccsoft.mx"
# Subdominio para la API backend
# TEST: "api.dev-sacc.ccsoft.mx"
# PROD: "api.sacc.ccsoft.mx"
# [REQUERIDO] - Se crea automaticamente como registro A apuntando a EC2
api_subdomain = "api.dev-sacc.ccsoft.mx"
# =============================================================================
# SECCION 3: NETWORKING (VPC)
# =============================================================================
# CIDR block para la VPC
# IMPORTANTE: No debe chocar con otras VPCs ni redes on-premise
# TEST: "10.3.0.0/16" (evita conflicto con prod 10.2.0.0/16)
# PROD: "10.2.0.0/16"
# Valor por defecto: "10.3.0.0/16"
vpc_cidr = "10.3.0.0/16"
# Zonas de disponibilidad
# mx-central-1 actualmente soporta: mx-central-1a, mx-central-1b
# Valor por defecto: ["mx-central-1a", "mx-central-1b"]
availability_zones = ["mx-central-1a", "mx-central-1b"]
# CIDRs para subnets publicas (una por AZ)
# Deben estar dentro del rango vpc_cidr
# TEST: ["10.3.1.0/24", "10.3.2.0/24"]
# PROD: ["10.2.1.0/24", "10.2.2.0/24"]
# Valor por defecto: ["10.3.1.0/24", "10.3.2.0/24"]
public_subnet_cidrs = ["10.3.1.0/24", "10.3.2.0/24"]
# CIDRs para subnets privadas (una por AZ)
# RDS y recursos internos se despliegan aqui
# TEST: ["10.3.10.0/24", "10.3.11.0/24"]
# PROD: ["10.2.10.0/24", "10.2.11.0/24"]
# Valor por defecto: ["10.3.10.0/24", "10.3.11.0/24"]
private_subnet_cidrs = ["10.3.10.0/24", "10.3.11.0/24"]
# =============================================================================
# SECCION 4: EC2 - SERVIDOR DE APLICACION
# =============================================================================
# Tipo de instancia EC2
# TEST: "t3.small" (costo optimizado)
# PROD: "t3.medium" (instancia actual: 78.13.201.205)
# Valor por defecto: "t3.small"
# NOTA: Para produccion, t3.medium con 4GB RAM minimo recomendado
ec2_instance_type = "t3.small"
# AMI ID de Ubuntu 22.04 LTS (Jammy)
# Verificar AMI actualizada en: https://cloud-images.ubuntu.com/locator/ec2/
# Para mx-central-1, buscar "Ubuntu 22.04 LTS amd64"
# Valor por defecto: "ami-0f553e2869648134e" (Ubuntu 22.04 LTS)
# NOTA: La AMI puede variar por cuenta. Verificar en consola AWS.
ec2_ami = "ami-0f553e2869648134e"
# Tamano del volumen root en GB
# PROD actual: 8GB (7.6G usados 60%)
# Recomendado: 20GB para logs y artefactos
# Valor por defecto: 8
ec2_root_volume_size = 8
# Tipo de volumen root
# Opciones: gp2, gp3, io1, io2
# Valor por defecto: "gp2"
ec2_root_volume_type = "gp2"
# Encriptar volumen root
# Valor por defecto: true
# RECOMENDADO: Siempre true en produccion
ec2_root_volume_encrypted = true
# =============================================================================
# SECCION 5: ACCESO SSH (CRITICO - SEGURIDAD)
# =============================================================================
# Lista de CIDRs permitidos para acceso SSH (puerto 22)
# FORMATO: ["xxx.xxx.xxx.xxx/32"] para IP individual
# ["203.0.113.0/24"] para rango de oficina
# ["10.8.0.0/24"] para VPN
#
# [REQUERIDO] - Debe contener al menos tu IP publica actual
# WARNING: [] vacio permite SOLO acceso desde la VPC (mas seguro pero requiere bastion)
# PROD actual incluye IPs de: Libra-Totalplay, Leaseweb, Empresa
#
# Ejemplo TEST: ["186.96.145.105/32", "187.234.90.175/32"]
# Ejemplo PROD: ["186.96.145.105/32", "207.244.97.190/32", "187.234.90.175/32"]
ssh_allowed_cidrs = []
# Llave publica SSH para usuario "thoth"
# Generar par de llaves: ssh-keygen -t ed25519 -f sacc4-thoth-key -C "thoth@ccsoft"
# El usuario thoth se usa para despliegues (UID 1001, grupo duat GID 1006)
# [REQUERIDO] - Copiar contenido de sacc4-thoth-key.pub
thoth_public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/RcJmEYOBpfq1tSLltV1pyNB55l1jA2zYr5ZNJ0f41 thoth@ccsoft"
# Llave publica SSH para usuario "osiris"
# Generar par de llaves: ssh-keygen -t ed25519 -f sacc4-osiris-key -C "osiris@ccsoft"
# El usuario osiris ejecuta los servicios Java (UID 997, grupo duat GID 1006)
# [REQUERIDO] - Copiar contenido de sacc4-osiris-key.pub
osiris_public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFo6CycfgIuCCSVZbhuPwqlAVDxY8YWb1xpvpqxSzMjR osiris@ccsoft"
# =============================================================================
# SECCION 6: RDS - BASE DE DATOS
# =============================================================================
# Clase de instancia RDS
# TEST: "db.t3.micro" (costo optimizado, eligible free tier)
# PROD: "db.t3.micro" (instancia actual en produccion)
# Valor por defecto: "db.t3.micro"
rds_instance_class = "db.t3.micro"
# Motor de base de datos
# PROD actual usa: MariaDB 10.6
# Valor por defecto: "mariadb"
# NOTA: No cambiar a menos que se migre intencionalmente
rds_engine = "mariadb"
# Version del motor
# PROD actual: 10.6
# TEST recomendado: 10.11.16 (version compatible mas reciente)
# Valor por defecto: "10.11.16"
rds_engine_version = "10.11.16"
# Almacenamiento asignado en GB
# Valor por defecto: 20
# Recomendado: 50GB+ para produccion con crecimiento
rds_allocated_storage = 20
# Almacenamiento maximo para auto-scaling
# RDS expande automaticamente hasta este limite
# Valor por defecto: 100
rds_max_allocated_storage = 100
# Nombre de la base de datos inicial
# TEST: "ccsoft_sacc4_test"
# PROD: "ccsoft_sacc4"
# Valor por defecto: "ccsoft_sacc4_test"
rds_db_name = "ccsoft_sacc4_test"
# Usuario master/administrador de RDS
# TEST: "sacc_admin_test"
# PROD: "sacc_admin_prod"
# Valor por defecto: "sacc_admin_test"
# NOTA: Este usuario NO es el que usa la aplicacion. La app usa un usuario
# adicional creado automaticamente: "sacc_app_user"
rds_master_username = "sacc_admin_test"
# Contrasena master de RDS
# [REQUERIDO] - MINIMO 16 caracteres, debe incluir:
# - Mayusculas, minusculas, numeros, simbolos
# - No usar caracteres especiales problematicos: @, /, \"
# Ejemplo: "Sacc4_Test_2024!Secure"
# NOTA DE SEGURIDAD: Esta contrasena se usa tambien para el usuario sacc_app_user
rds_master_password = "CambiarEstaPassword123!Segura"
# Periodo de retencion de backups automaticos (dias)
# TEST: 7 dias (minimo para desarrollo)
# PROD: 30 dias (recomendado para produccion)
# Valor por defecto: 7
rds_backup_retention_period = 7
# Ventana de backup (hora UTC)
# Formato: "hh:mm-hh:mm"
# Valor por defecto: "03:00-04:00" (9pm-10pm CST)
rds_backup_window = "03:00-04:00"
# Ventana de mantenimiento
# Formato: "Ddd:hh:mm-Ddd:hh:mm"
# Valor por defecto: "Mon:04:00-Mon:05:00"
rds_maintenance_window = "Mon:04:00-Mon:05:00"
# =============================================================================
# SECCION 7: SCHEDULING (APAGADO AUTOMATICO - SOLO TEST)
# =============================================================================
# Habilitar apagado automatico de EC2 y RDS para ahorrar costos
# RECOMENDADO: true para TEST, false para PROD
# TEST: true (apaga fines de semana)
# PROD: false (siempre encendido)
# Valor por defecto: true
enable_scheduling = true
# Zona horaria para las reglas de scheduling
# Valor por defecto: "America/Mexico_City"
schedule_timezone = "America/Mexico_City"
# Cron para INICIO de instancias (hora de Mexico)
# Por defecto: 8:00 AM Lunes-Viernes (13:00 UTC)
# Formato AWS cron: cron(minutes hours day-of-month month day-of-week year)
# Valor por defecto: "cron(0 13 ? * MON-FRI *)"
schedule_start_cron = "cron(0 13 ? * MON-FRI *)"
# Cron para APAGADO de instancias (hora de Mexico)
# Por defecto: 7:00 PM Lunes-Viernes (00:00 UTC siguiente dia)
# Valor por defecto: "cron(0 0 ? * TUE-SAT *)"
schedule_stop_cron = "cron(0 0 ? * TUE-SAT *)"
# =============================================================================
# SECCION 8: FRONTEND (S3 + CloudFront)
# =============================================================================
# Nombre del bucket S3 para alojar el frontend React
# DEBE ser unico a nivel global en AWS
# TEST: "sacc4-frontend-test-668889063715"
# PROD: "sacc4-frontend-prod-523761210517"
# [REQUERIDO] - Debe incluir ID de cuenta para garantizar unicidad
# NOTA: Si el bucket ya existe, Terraform fallara. Verificar primero.
frontend_bucket_name = "sacc4-frontend-test-668889063715"
# Clase de precio de CloudFront
# Opciones:
# "PriceClass_100" - Norteamérica y Europa (mas economico)
# "PriceClass_200" - + Asia y Oceania
# "PriceClass_All" - Global
# Valor por defecto: "PriceClass_100"
cloudfront_price_class = "PriceClass_100"
# Habilitar logging de CloudFront
# Valor por defecto: false
# Recomendado: true en produccion para debugging
enable_cloudfront_logging = false
# =============================================================================
# SECCION 9: CERTIFICADOS SSL (ACM)
# =============================================================================
# ARN del certificado SSL en ACM
# [REQUERIDO PARA HTTPS/PROD]
# Para CloudFront, el certificado DEBE estar en us-east-1 (N. Virginia)
# Aunque los recursos esten en mx-central-1
#
# Como obtener:
# 1. Ir a AWS Console -> Certificate Manager (region us-east-1)
# 2. Solicitar certificado para el domain_name
# 3. Validar via DNS (Route53) o Email
# 4. Copiar el ARN aqui
#
# TEST: "arn:aws:acm:us-east-1:668889063715:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
# PROD: "arn:aws:acm:us-east-1:523761210517:certificate/bfb41df2-79f1-40e5-95ad-404d4fe306e4"
#
# NOTA: Dejar vacio "" si aun no se tiene certificado. CloudFront se creara
# con HTTP solo y se actualizara manualmente despues.
certificate_arn = ""
# =============================================================================
# SECCION 10: TAGS Y METADATOS
# =============================================================================
# Tags comunes aplicados a TODOS los recursos
# Valor por defecto: ver abajo
# NOTA: Se agregan automaticamente tags adicionales por el provider:
# Environment, AccountId, CostCenter
common_tags = {
Project = "proyectosacc"
ManagedBy = "terraform"
Team = "infra"
Purpose = "test-environment"
}
# =============================================================================
# SECCION 11: VARIABLES AVANZADAS (opcional - modificar con precaucion)
# =============================================================================
# Configuracion de pool de conexiones HikariCP (aplicacion Java)
# Estos valores se inyectan via variables de entorno systemd
# Valores de PROD actual para referencia:
# max_pool_size = 4
# min_idle = 0
# idle_timeout = 300000
# max_lifetime = 1800000
# connection_timeout = 30000
# =============================================================================
# REFERENCIA RAPIDA: VALORES POR ENTORNO
# =============================================================================
# TEST PROD
# -------------------------------------------------------------------------
# Cuenta AWS: 668889063715 523761210517
# Region: mx-central-1 mx-central-1
# VPC CIDR: 10.3.0.0/16 10.2.0.0/16
# Dominio: dev-sacc.ccsoft.mx sacc.ccsoft.mx
# API: api.dev-sacc.ccsoft.mx api.sacc.ccsoft.mx
# EC2: t3.small t3.medium
# RDS: db.t3.micro db.t3.micro
# Scheduling: true (ahorro) false (24/7)
# AMI Ubuntu: ami-0f553e2869648134e ami-0f553e2869648134e
# -------------------------------------------------------------------------
# =============================================================================
# CHECKLIST PRE-DESPLIEGUE
# =============================================================================
# [ ] Crear/workspac: terraform workspace new test|prod
# [ ] Configurar credenciales AWS para la cuenta correcta
# [ ] Verificar que domain_name existe en Route53
# [ ] Solicitar certificado SSL en ACM (us-east-1)
# [ ] Generar llaves SSH para thoth y osiris
# [ ] Obtener IP publica actual para ssh_allowed_cidrs
# [ ] Definir contrasena segura para RDS (16+ caracteres)
# [ ] Verificar que frontend_bucket_name es unico globalmente
# [ ] Revisar CIDRs para evitar conflictos de red
# [ ] Ejecutar: terraform plan (revisar sin aplicar)
# =============================================================================
terraform/variables.tf
+103
View File
@@ -0,0 +1,103 @@
# Variables para duplicación de SACC v4
# =====================================
# Entorno
variable "environment" {
description = "Entorno de despliegue (test, dev, staging)"
type = string
default = "test"
}
# Región AWS
variable "aws_region" {
description = "Región AWS para despliegue"
type = string
default = "mx-central-1"
}
# VPC
variable "vpc_cidr" {
description = "CIDR block para la VPC"
type = string
default = "10.3.0.0/16"
}
variable "availability_zones" {
description = "Zonas de disponibilidad"
type = list(string)
default = ["mx-central-1a", "mx-central-1b"]
}
# EC2
variable "ami_id" {
description = "AMI de Ubuntu 22.04 LTS"
type = string
default = "ami-0f553e2869648134e"
}
variable "instance_type" {
description = "Tipo de instancia EC2"
type = string
default = "t3.small"
}
variable "key_name" {
description = "Nombre del key pair SSH"
type = string
default = "sacc4-test-key"
}
variable "my_ip" {
description = "Tu IP pública para acceso SSH (formato: xxx.xxx.xxx.xxx/32)"
type = string
}
# RDS
variable "db_name" {
description = "Nombre de la base de datos"
type = string
default = "sacc4_test"
}
variable "db_username" {
description = "Usuario administrador de la base de datos"
type = string
default = "sacc4_admin"
}
variable "db_password" {
description = "Contraseña de la base de datos (cambiar!)"
type = string
sensitive = true
}
variable "rds_instance_class" {
description = "Clase de instancia RDS"
type = string
default = "db.t3.micro"
}
variable "rds_allocated_storage" {
description = "Almacenamiento RDS en GB"
type = number
default = 20
}
# S3 / CloudFront
variable "s3_bucket_name" {
description = "Nombre único del bucket S3 para frontend"
type = string
default = "sacc4-frontend-test-ccsoft"
}
variable "domain_name" {
description = "Dominio para la aplicación"
type = string
default = "test-sacc.ccsoft.mx"
}
variable "certificate_arn" {
description = "ARN del certificado SSL en ACM"
type = string
default = ""
}