labadmin/proyectosacc-mirror
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Edited with Bitbucket

Browse Source
This commit is contained in:
Evert Daniel Romero Garrido
2026-04-16 21:51:56 +00:00
parent 3597ba89e5
commit 63ba5553db
2 changed files with 22 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
message
+9
View File
@@ -0,0 +1,9 @@
fix(terraform): corregir OIDC audience para Bitbucket Cloud
Bitbucket Cloud genera tokens JWT con audience fijo:
ari:cloud:bitbucket::workspace/465016f8-d6fb-4ecb-ba6f-2248e938942b
El archivo oidc-bitbucket.tf solo aceptaba sts.amazonaws.com,
lo que causaba InvalidIdentityToken en cada terraform apply.
Ahora el OIDC provider y el rol IAM aceptan ambos audiences
mediante ForAnyValue:StringEquals.
terraform/oidc-bitbucket.tf
+13 -7
View File
@@ -14,6 +14,9 @@ locals {
bitbucket_workspace = "ccsoft1" bitbucket_workspace = "ccsoft1"
bitbucket_oidc_url = "https://api.bitbucket.org/2.0/workspaces/${local.bitbucket_workspace}/pipelines-config/identity/oidc" bitbucket_oidc_url = "https://api.bitbucket.org/2.0/workspaces/${local.bitbucket_workspace}/pipelines-config/identity/oidc"
# UUID del workspace de Bitbucket Cloud para el audience fijo del OIDC.
bitbucket_workspace_uuid = "465016f8-d6fb-4ecb-ba6f-2248e938942b"
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# REPO_UUID de proyectosacc # REPO_UUID de proyectosacc
# ------------------------------------------------------------------ # ------------------------------------------------------------------
@@ -40,12 +43,12 @@ data "tls_certificate" "bitbucket_oidc" {
resource "aws_iam_openid_connect_provider" "bitbucket" { resource "aws_iam_openid_connect_provider" "bitbucket" {
url = local.bitbucket_oidc_url url = local.bitbucket_oidc_url
# Usamos "sts.amazonaws.com" como audience para simplificar la # Bitbucket Cloud usa "ari:cloud:bitbucket::workspace/{uuid}" como audience
# configuración y evitar depender del Workspace UUID de Bitbucket. # fijo en los tokens JWT. Mantenemos "sts.amazonaws.com" por compatibilidad
# Esto requiere configurar "audiences: [sts.amazonaws.com]" en # con pipelines que aún lo configuren manualmente.
# bitbucket-pipelines.yml.
client_id_list = [ client_id_list = [
"sts.amazonaws.com" "sts.amazonaws.com",
"ari:cloud:bitbucket::workspace/${local.bitbucket_workspace_uuid}"
] ]
thumbprint_list = [ thumbprint_list = [
@@ -76,8 +79,11 @@ resource "aws_iam_role" "bitbucket_ci_cd" {
} }
Action = "sts:AssumeRoleWithWebIdentity" Action = "sts:AssumeRoleWithWebIdentity"
Condition = { Condition = {
StringEquals = { ForAnyValue:StringEquals = {
"${trimprefix(local.bitbucket_oidc_url, "https://")}:aud" = "sts.amazonaws.com" "${trimprefix(local.bitbucket_oidc_url, "https://")}:aud" = [
"sts.amazonaws.com",
"ari:cloud:bitbucket::workspace/${local.bitbucket_workspace_uuid}"
]
} }
StringLike = { StringLike = {
"${trimprefix(local.bitbucket_oidc_url, "https://")}:sub" = "${local.bitbucket_repo_uuid}:*" "${trimprefix(local.bitbucket_oidc_url, "https://")}:sub" = "${local.bitbucket_repo_uuid}:*"