From 4791fdcae6ef18778ffbf032b8cd48cf50ad82e3 Mon Sep 17 00:00:00 2001
From: Evert Daniel Romero Garrido <evert@ciaii.edu.mx>
Date: Thu, 16 Apr 2026 11:58:19 -0600
Subject: [PATCH 1/6] debug(oidc): print decoded JWT payload to diagnose
 audience mismatch

---
 scripts/aws-oidc-setup.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/scripts/aws-oidc-setup.sh b/scripts/aws-oidc-setup.sh
index 1d7e2c1..0ddc69c 100755
--- a/scripts/aws-oidc-setup.sh
+++ b/scripts/aws-oidc-setup.sh
@@ -53,6 +53,17 @@ echo "Session Name  : $SESSION_NAME"
 echo "Token file    : $AWS_WEB_IDENTITY_TOKEN_FILE"
 echo "Obteniendo credenciales temporales via STS..."
 
+echo "=== Decoding OIDC Token ==="
+python3 -c "
+import json, base64, sys
+t = open('${BITBUCKET_STEP_OIDC_TOKEN}').read().strip()
+payload = t.split('.')[1]
+padding = 4 - len(payload) % 4
+if padding != 4: payload += '=' * padding
+print(json.dumps(json.loads(base64.b64decode(payload)), indent=2))
+"
+echo "==========================="
+
 CREDS=$(aws sts assume-role-with-web-identity \
   --role-arn "$AWS_ROLE_ARN" \
   --role-session-name "$SESSION_NAME" \

From c9c34a4328b16c647e4b4b70f3dbe2002971b195 Mon Sep 17 00:00:00 2001
From: Evert Daniel Romero Garrido <evert@ciaii.edu.mx>
Date: Thu, 16 Apr 2026 12:05:49 -0600
Subject: [PATCH 2/6] fix: mover oidc audiences a definitions para corregir
 Incorrect token audience

---
 bitbucket-pipelines.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/bitbucket-pipelines.yml b/bitbucket-pipelines.yml
index 215ff41..6e797f4 100644
--- a/bitbucket-pipelines.yml
+++ b/bitbucket-pipelines.yml
@@ -10,12 +10,14 @@
 image: atlassian/default-image:5
 
 options:
+  max-time: 120
+
+definitions:
   oidc:
     audiences:
       - sts.amazonaws.com
 
-  definitions:
-    steps:
+  steps:
       - step: &notify-start
           name: Notify Start
           script:

From 40552bb5c78138f2699e428b69e5f0b6ee389977 Mon Sep 17 00:00:00 2001
From: Evert Daniel Romero Garrido <evert@ciaii.edu.mx>
Date: Thu, 16 Apr 2026 12:12:26 -0600
Subject: [PATCH 3/6] fix: corregir lectura del token OIDC en aws-oidc-setup.sh

---
 scripts/aws-oidc-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/aws-oidc-setup.sh b/scripts/aws-oidc-setup.sh
index 0ddc69c..1241df1 100755
--- a/scripts/aws-oidc-setup.sh
+++ b/scripts/aws-oidc-setup.sh
@@ -56,7 +56,7 @@ echo "Obteniendo credenciales temporales via STS..."
 echo "=== Decoding OIDC Token ==="
 python3 -c "
 import json, base64, sys
-t = open('${BITBUCKET_STEP_OIDC_TOKEN}').read().strip()
+t = open('${AWS_WEB_IDENTITY_TOKEN_FILE}').read().strip()
 payload = t.split('.')[1]
 padding = 4 - len(payload) % 4
 if padding != 4: payload += '=' * padding

From 7f8f531172b0b5da7d0fdbaa35380836657eade3 Mon Sep 17 00:00:00 2001
From: Evert Daniel Romero Garrido <evert@ciaii.edu.mx>
Date: Thu, 16 Apr 2026 12:30:51 -0600
Subject: [PATCH 4/6] fix: move oidc audiences to options and step level per
 Atlassian docs

---
 bitbucket-pipelines.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/bitbucket-pipelines.yml b/bitbucket-pipelines.yml
index 6e797f4..b457612 100644
--- a/bitbucket-pipelines.yml
+++ b/bitbucket-pipelines.yml
@@ -11,12 +11,11 @@ image: atlassian/default-image:5
 
 options:
   max-time: 120
-
-definitions:
   oidc:
     audiences:
       - sts.amazonaws.com
 
+definitions:
   steps:
       - step: &notify-start
           name: Notify Start
@@ -64,7 +63,9 @@ pipelines:
 
       - step:
           name: 03_terraform
-          oidc: true
+          oidc:
+            audiences:
+              - sts.amazonaws.com
           script:
             - set -euo pipefail
             - source scripts/aws-oidc-setup.sh dev
@@ -155,7 +156,9 @@ pipelines:
 
       - step:
           name: 03_terraform
-          oidc: true
+          oidc:
+            audiences:
+              - sts.amazonaws.com
           script:
             - set -euo pipefail
             - source scripts/aws-oidc-setup.sh prod

From b338e68852732f92dd55b23d994df30ad347ed51 Mon Sep 17 00:00:00 2001
From: Evert Daniel Romero Garrido <evert@ciaii.edu.mx>
Date: Thu, 16 Apr 2026 13:06:54 -0600
Subject: [PATCH 5/6] fix: revert step-level oidc to simple true for parsing
 compatibility

---
 bitbucket-pipelines.yml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/bitbucket-pipelines.yml b/bitbucket-pipelines.yml
index b457612..22b9fe9 100644
--- a/bitbucket-pipelines.yml
+++ b/bitbucket-pipelines.yml
@@ -63,9 +63,7 @@ pipelines:
 
       - step:
           name: 03_terraform
-          oidc:
-            audiences:
-              - sts.amazonaws.com
+          oidc: true
           script:
             - set -euo pipefail
             - source scripts/aws-oidc-setup.sh dev
@@ -156,9 +154,7 @@ pipelines:
 
       - step:
           name: 03_terraform
-          oidc:
-            audiences:
-              - sts.amazonaws.com
+          oidc: true
           script:
             - set -euo pipefail
             - source scripts/aws-oidc-setup.sh prod

From dd2f31ec2abbda82180bb7c43920dd236765b220 Mon Sep 17 00:00:00 2001
From: Evert Daniel Romero Garrido <evert@ciaii.edu.mx>
Date: Thu, 16 Apr 2026 13:37:36 -0600
Subject: [PATCH 6/6] fix(pipeline): corregir OIDC token handling y backend
 region validation

- Escribe BITBUCKET_STEP_OIDC_TOKEN a archivo temporal para evitar
  OSError: File name too long en el decoder JWT
- Python lee token via stdin en lugar de pasar JWT como filename
- Agrega skip_region_validation = true en backend.dev.hcl y backend.prod.hcl
  para compatibilidad con mx-central-1
---
 scripts/aws-oidc-setup.sh  | 28 ++++++++++++++++++----------
 terraform/backend.dev.hcl  |  3 ++-
 terraform/backend.prod.hcl |  3 ++-
 3 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/scripts/aws-oidc-setup.sh b/scripts/aws-oidc-setup.sh
index 1241df1..0152e37 100755
--- a/scripts/aws-oidc-setup.sh
+++ b/scripts/aws-oidc-setup.sh
@@ -1,8 +1,8 @@
 #!/bin/bash
 # ===============================================================================================================
 # aws-oidc-setup.sh - Configura credenciales AWS via OIDC para Bitbucket Pipelines
-# Descripción:
-#       Obtiene credenciales temporales de AWS explícitamente mediante
+# Descripcion:
+#       Obtiene credenciales temporales de AWS explicitamente mediante
 #       assume-role-with-web-identity y exporta las variables necesarias
 #       para que Terraform (incluyendo su backend S3) y AWS CLI funcionen.
 #
@@ -28,13 +28,18 @@ fi
 ENV="${1:-dev}"
 
 if [[ -z "${BITBUCKET_STEP_OIDC_TOKEN:-}" ]]; then
-  echo "ERROR: BITBUCKET_STEP_OIDC_TOKEN no está definido."
-  echo "Asegúrate de agregar 'oidc: true' al step en bitbucket-pipelines.yml"
+  echo "ERROR: BITBUCKET_STEP_OIDC_TOKEN no esta definido."
+  echo "Asegurate de agregar 'oidc: true' al step en bitbucket-pipelines.yml"
   exit 1
 fi
 
-export AWS_WEB_IDENTITY_TOKEN_FILE="$(pwd)/web-identity-token"
-printf '%s' "${BITBUCKET_STEP_OIDC_TOKEN}" > "${AWS_WEB_IDENTITY_TOKEN_FILE}"
+# Escribir el token a un archivo temporal seguro para evitar que el decoder
+# de Python trate el JWT crudo como un nombre de archivo (OSError 36).
+TOKEN_FILE="$(mktemp)"
+trap 'rm -f "${TOKEN_FILE}"' EXIT
+
+printf '%s' "${BITBUCKET_STEP_OIDC_TOKEN}" > "${TOKEN_FILE}"
+export AWS_WEB_IDENTITY_TOKEN_FILE="${TOKEN_FILE}"
 
 if [[ "$ENV" == "prod" ]]; then
   export AWS_ROLE_ARN="arn:aws:iam::523761210517:role/BitbucketProyectosaccCICDRoleProd"
@@ -54,14 +59,17 @@ echo "Token file    : $AWS_WEB_IDENTITY_TOKEN_FILE"
 echo "Obteniendo credenciales temporales via STS..."
 
 echo "=== Decoding OIDC Token ==="
+# Leer el token desde stdin para nunca pasar el contenido como argumento o filename.
 python3 -c "
 import json, base64, sys
-t = open('${AWS_WEB_IDENTITY_TOKEN_FILE}').read().strip()
+t = sys.stdin.read().strip()
 payload = t.split('.')[1]
 padding = 4 - len(payload) % 4
 if padding != 4: payload += '=' * padding
-print(json.dumps(json.loads(base64.b64decode(payload)), indent=2))
-"
+decoded = json.loads(base64.b64decode(payload))
+print(json.dumps(decoded, indent=2))
+print('aud claim :', decoded.get('aud', 'N/A'))
+" < "${TOKEN_FILE}"
 echo "==========================="
 
 CREDS=$(aws sts assume-role-with-web-identity \
@@ -75,7 +83,7 @@ export AWS_ACCESS_KEY_ID=$(echo "$CREDS" | python3 -c "import sys,json; print(js
 export AWS_SECRET_ACCESS_KEY=$(echo "$CREDS" | python3 -c "import sys,json; print(json.load(sys.stdin)['Credentials']['SecretAccessKey'])")
 export AWS_SESSION_TOKEN=$(echo "$CREDS" | python3 -c "import sys,json; print(json.load(sys.stdin)['Credentials']['SessionToken'])")
 
-# Terraform S3 backend requiere estas variables explícitas
+# Terraform S3 backend requiere estas variables explicitas
 export AWS_REGION="${AWS_DEFAULT_REGION}"
 
 echo "Credenciales obtenidas exitosamente."
diff --git a/terraform/backend.dev.hcl b/terraform/backend.dev.hcl
index 07e95ce..c8423a6 100644
--- a/terraform/backend.dev.hcl
+++ b/terraform/backend.dev.hcl
@@ -2,4 +2,5 @@ bucket         = "ccsoft-terraform-state"
 key            = "proyectosacc/terraform.tfstate"
 region         = "mx-central-1"
 encrypt        = true
-dynamodb_table = "terraform-locks"
+dynamodb_table         = "terraform-locks"
+skip_region_validation = true
diff --git a/terraform/backend.prod.hcl b/terraform/backend.prod.hcl
index 9511df4..dcf5499 100644
--- a/terraform/backend.prod.hcl
+++ b/terraform/backend.prod.hcl
@@ -2,4 +2,5 @@ bucket         = "ccsoft-proyectosacc-terraform-state-prod"
 key            = "proyectosacc/terraform.tfstate"
 region         = "mx-central-1"
 encrypt        = true
-dynamodb_table = "terraform-locks-proyectosacc-prod"
+dynamodb_table         = "terraform-locks-proyectosacc-prod"
+skip_region_validation = true