labadmin/proyectosacc-mirror
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(pipeline): agregar soporte para llaves SSH con passphrase en DEV

Browse Source 
Cambios:
- Actualizar pipeline DEV para usar ssh-agent + expect con passphrase
- Instalar 'expect' en steps que requieren SSH (01, 06, 07, 08)
- Agregar configuración de ssh-agent para desbloquear llave automáticamente
- Requiere nueva variable de Bitbucket: SSH_PASSPHRASE_THOTH
- Actualizar documentación de conexión con credenciales de BD
- Agregar script de validación de conexión EC2→RDS
- Agregar validación de cuenta AWS (solo recursos DEV)

Refs: Llaves SSH regeneradas con passphrase por seguridad
This commit is contained in:
Evert Daniel Romero Garrido
2026-04-27 13:26:12 -06:00
parent 15e499d970
commit 2e3627fb66
4 changed files with 574 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bitbucket-pipelines.yml
+37 -5
View File
@@ -68,7 +68,7 @@ pipelines:
name: 01_image-setup
script:
- set -euo pipefail
- apt-get update -y && apt-get install -y openssh-client openjdk-21-jdk wget unzip curl
- apt-get update -y && apt-get install -y openssh-client openjdk-21-jdk wget unzip curl expect
- curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
- unzip -q awscliv2.zip
- ./aws/install
@@ -77,6 +77,14 @@ pipelines:
- echo "${SSH_PRIVATE_KEY_THOTH}" > ~/.ssh/sacc4_key
- chmod 600 ~/.ssh/sacc4_key
- ssh-keyscan -p "22" "${DEV_INSTANCE_IP}" >> ~/.ssh/known_hosts 2>/dev/null || true
- eval "$(ssh-agent -s)"
- |
expect -c "
spawn ssh-add ~/.ssh/sacc4_key
expect \"Enter passphrase\"
send \"${SSH_PASSPHRASE_THOTH}\r\"
expect eof
"
- export TELEGRAM_BOT_TOKEN="${DEV_TELEGRAM_BOT_TOKEN}"
- export TELEGRAM_CHAT_ID="${DEV_TELEGRAM_CHAT_ID}"
- bash scripts/telegram-pipeline-notify.sh start
@@ -177,11 +185,18 @@ pipelines:
name: 06_update_ssh_keys
script:
- set -euo pipefail
- apt-get update -y && apt-get install -y expect
- mkdir -p ~/.ssh
- echo "${SSH_PRIVATE_KEY_THOTH}" > ~/.ssh/sacc4_key
- chmod 600 ~/.ssh/sacc4_key
# Actualizar authorized_keys del usuario thoth con la llave pública del pipeline
# Esto asegura que solo el pipeline actual pueda acceder, rotando llaves automáticamente
- eval "$(ssh-agent -s)"
- |
expect -c "
spawn ssh-add ~/.ssh/sacc4_key
expect \"Enter passphrase\"
send \"${SSH_PASSPHRASE_THOTH}\r\"
expect eof
"
- |
DEV_PUB_KEY=$(echo "${SSH_PRIVATE_KEY_THOTH}" | ssh-keygen -y -f /dev/stdin)
ssh -p "22" \
@@ -195,7 +210,7 @@ pipelines:
name: 07_install
script:
- set -euo pipefail
- apt-get update -y && apt-get install -y curl unzip
- apt-get update -y && apt-get install -y curl unzip expect
- curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
- unzip -q awscliv2.zip
- ./aws/install
@@ -209,8 +224,16 @@ pipelines:
fi
if [ "${HAS_LOCAL_JAR}" = "true" ]; then
echo "INFO: Artefacto JAR encontrado localmente. Procediendo con instalación en servidor."
mkdir -p ~/.ssh
echo "${SSH_PRIVATE_KEY_THOTH}" > ~/.ssh/sacc4_key
chmod 600 ~/.ssh/sacc4_key
eval "$(ssh-agent -s)"
expect -c "
spawn ssh-add ~/.ssh/sacc4_key
expect \"Enter passphrase\"
send \"${SSH_PASSPHRASE_THOTH}\r\"
expect eof
"
ssh -p "22" \
-i ~/.ssh/sacc4_key \
-o StrictHostKeyChecking=no \
@@ -226,14 +249,23 @@ pipelines:
oidc: true
script:
- set -euo pipefail
- apt-get update -y && apt-get install -y curl unzip
- apt-get update -y && apt-get install -y curl unzip expect
- curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
- unzip -q awscliv2.zip
- ./aws/install
- aws --version
- source scripts/aws-oidc-setup.sh dev
- mkdir -p ~/.ssh
- echo "${SSH_PRIVATE_KEY_THOTH}" > ~/.ssh/sacc4_key
- chmod 600 ~/.ssh/sacc4_key
- eval "$(ssh-agent -s)"
- |
expect -c "
spawn ssh-add ~/.ssh/sacc4_key
expect \"Enter passphrase\"
send \"${SSH_PASSPHRASE_THOTH}\r\"
expect eof
"
- |
ssh -p "22" \
-i ~/.ssh/sacc4_key \