diff --git a/DOCUMENTACION_CAMBIOS_COMPLETOS.md b/DOCUMENTACION_CAMBIOS_COMPLETOS.md new file mode 100644 index 0000000..81ef47c --- /dev/null +++ b/DOCUMENTACION_CAMBIOS_COMPLETOS.md @@ -0,0 +1,245 @@ +# 📋 Documentación Completa de Cambios - Proyectosacc PROD + +> Fecha: Mayo 2026 +> Ambiente: PRODUCCIÓN (AWS Account: 523761210517) +> Región: mx-central-1 (AWS México) +> Responsable: Área de Tecnología y Desarrollo - CCsoft + +--- + +## 📌 Resumen Ejecutivo + +Este documento consolida todos los cambios realizados a la infraestructura de proyectosacc en producción, incluyendo mejoras de seguridad, correcciones de Terraform, configuración de accesos, y solución de problemas de scheduling automatizado. + +--- + +## 🎯 Alcance de los Cambios + +### 1. 🔐 Seguridad SSH y Acceso + +#### 1.1 Generación de Nueva Llave SSH +- **Archivo**: `keys/thoth_prod_key` +- **Tipo**: ED25519 +- **Passphrase**: `fEbr9CoAlfllHDhocAbRo+aja+SW72a5` +- **Usuario**: `thoth` +- **Estado**: ✅ Instalada en EC2 PROD (78.13.201.205) + +#### 1.2 Restricción de Acceso SSH +- **Antes**: Acceso abierto (`0.0.0.0/0`) +- **Después**: Acceso restringido (deshabilitado por defecto) +- **Variable**: `allowed_ssh_cidrs` configurable +- **Acceso alternativo**: AWS Systems Manager Session Manager + +#### 1.3 AWS Systems Manager (Session Manager) +- **Estado**: ✅ Instalado y configurado en EC2 +- **IAM Permissions**: ✅ Agregados a `proyectosacc-ec2-policy-prod` +- **Ventaja**: Acceso seguro sin abrir puertos SSH + +--- + +### 2. 🏗️ Infraestructura Terraform + +#### 2.1 Corrección de Backend S3 +- **Problema**: Bucket incorrecto (`ccsoft-terraform-state`) +- **Solución**: Bucket correcto (`ccsoft-proyectosacc-terraform-state-prod`) +- **Lockfile**: Cambiado de `dynamodb_table` (deprecado) a `use_lockfile` +- **Región**: `mx-central-1` requiere Terraform 1.15.2+ + +#### 2.2 Importación de EC2 al Estado +- **Instancia**: `i-02428e733083ea877` +- **Estado**: Importada correctamente a Terraform state +- **AMI**: `ami-00665bcc521d597f1` (Ubuntu Server 22.04 LTS) + +#### 2.3 Lifecycle Rules - Protección Anti-Destrucción + +| Recurso | Protección | Detalle | +|---------|-----------|---------| +| VPC | prevent_destroy | ✅ No se puede destruir | +| EC2 | prevent_destroy + ignore_changes | ✅ AMI, user_data, tags scheduling | +| RDS | prevent_destroy + ignore_changes | ✅ Tags scheduling | +| S3 Frontend | prevent_destroy | ✅ No se puede destruir | +| S3 Artifacts | prevent_destroy | ✅ No se puede destruir | +| CloudFront | prevent_destroy | ✅ No se puede destruir | +| NAT Gateway | prevent_destroy | ✅ No se puede destruir | + +#### 2.4 Variables Corregidas +- **Key Name**: `sacc-prod-key-2026` (antes `ccsoft-prod-key`) +- **AMI**: Actualizada para coincidir con instancia existente +- **Tags Scheduling**: Preservados vía `ignore_changes` + +--- + +### 3. 👤 Permisos de Usuario Thoth + +#### 3.1 Configuración Sudo (NOPASSWD) + +```bash +# Archivo: /etc/sudoers.d/thoth +# Permisos concedidos: +``` + +| Comando | Descripción | +|---------|-------------| +| `/bin/nano /etc/sacc4/sacc4.env` | Editar variables de entorno | +| `/bin/systemctl * api-sacc4-*.service` | Control de servicios API | +| `/bin/systemctl daemon-reload` | Recargar systemd | +| `/opt/sacc4/` | Control total del directorio | +| `/bin/chmod`, `/bin/chown` | Permisos de archivos | + +#### 3.2 Acceso SSH +- **Llave**: `thoth_prod_key` (ED25519 con passphrase) +- **Comando con passphrase**: + ```bash + eval "$(ssh-agent -s)" + ssh-add ~/.ssh/thoth_prod_key + ssh -i ~/.ssh/thoth_prod_key thoth@78.13.201.205 + ``` + +--- + +### 4. ⏰ Scheduling Automatizado (Lambda START/STOP) + +#### 4.1 Problema Original +- **Fecha**: 2026-05-06 19:00:42 UTC +- **Error**: `InvalidDBInstanceState` - RDS no estaba detenida +- **Causa**: Lambda intentó iniciar RDS que ya estaba corriendo + +#### 4.2 Solución Implementada + +**Lambda START** (`sacc4-start-instances`): +- ✅ Valida estado EC2 antes de iniciar (debe estar `stopped`) +- ✅ Valida estado RDS antes de iniciar (debe estar `stopped`) +- ✅ Logs claros: indica estado actual y acción tomada +- ✅ Campos de resultado: `ec2_skipped`, `rds_skipped` + +**Lambda STOP** (`sacc4-stop-instances`): +- ✅ Valida estado EC2 antes de detener (debe estar `running`) +- ✅ Valida estado RDS antes de detener (debe estar `available`) +- ✅ Logs claros: indica estado actual y acción tomada + +#### 4.3 Horarios Configurados + +| Acción | Hora CDMX | Hora UTC | Días | Estado | +|--------|-----------|----------|------|--------| +| START | 08:00 AM | 13:00 | Lunes-Viernes | ✅ ENABLED | +| STOP | 07:00 PM | 00:00 | Martes-Sábado | ✅ ENABLED | + +--- + +### 5. 🔄 Pipeline Bitbucket (CI/CD) + +#### 5.1 Cambios en `bitbucket-pipelines.yml` + +- **OIDC**: ✅ Configurado para autenticación AWS sin credenciales manuales +- **Script**: `aws-oidc-setup.sh` gestiona credenciales temporales automáticamente +- **Variables**: Agregado soporte para passphrase SSH +- **Steps**: Expandido de 7 a 9 pasos con validaciones + +#### 5.2 PR #3 Fusionado +- **Branch**: `feature/ssh-passphrase-dev` → `developer` +- **Status**: ✅ MERGED +- **Archivos**: 13 archivos, +1,693 líneas +- **Cambios clave**: + - Soporte passphrase SSH + - Terraform lifecycle rules + - Sudo configuration para thoth + - Session Manager support + +--- + +### 6. ☁️ Estado Actual de Infraestructura AWS + +#### 6.1 Recursos Activos + +| Servicio | ID/Endpoint | Estado | IP/URL | +|----------|-------------|--------|--------| +| **EC2** | i-02428e733083ea877 | running | 78.13.201.205 | +| **RDS** | proyectosacc-db-prod | available | proyectosacc-db-prod.c3uysq6uyyx0.mx-central-1.rds.amazonaws.com | +| **NAT Gateway** | nat-0d010c53e7583d761 | available | 78.13.177.201 | +| **S3 Frontend** | ccsoft-proyectosacc-frontend-prod | ✅ | — | +| **S3 Artifacts** | ccsoft-proyectosacc-artifacts-prod | ✅ | — | +| **CloudFront** | E35SPB389PFV1J | Deployed | d46pni5e2nvua.cloudfront.net | +| **Lambda START** | sacc4-start-instances | ✅ | Versión 2 | +| **Lambda STOP** | sacc4-stop-instances | ✅ | Versión 2 | +| **VPC** | vpc-0ed9acf33a45527ad | available | 10.2.0.0/16 | + +#### 6.2 Validación de Duplicados + +| Recurso | Cantidad | ¿Duplicado? | +|---------|----------|-------------| +| EC2 Instances | 1 | ✅ No | +| RDS Instances | 1 | ✅ No | +| NAT Gateways | 1 | ✅ No | +| Elastic IPs | 2 (1 NAT, 1 EC2) | ✅ No | +| Load Balancers | 0 | ✅ No | +| Lambda Functions | 2 | ✅ No | +| EventBridge Rules | 2 | ✅ No | +| CloudFront Distributions | 1 | ✅ No | + +--- + +### 7. 🔑 Gestión de Credenciales AWS + +#### 7.1 SSO Configurado (Recomendado) +```bash +# Perfil: proyectosacc-sso +aws sso login --profile proyectosacc-sso +``` +- **URL**: https://d-9067a6e1d5.awsapps.com/start +- **Rol**: PER-AWS-Admins-Infra-Ops +- **Cuenta**: 523761210517 + +#### 7.2 Pipeline Bitbucket (Automático) +- **Método**: OIDC (OpenID Connect) +- **Script**: `scripts/aws-oidc-setup.sh` +- **Duración**: 3600 segundos (1 hora) +- **NO requiere credenciales manuales** + +#### 7.3 Credenciales Temporales (Legacy) +- **Perfil**: `proyectosacc-temp` en `~/.aws/credentials` +- **Nota**: Caducan rápidamente, usar SSO como alternativa + +--- + +### 8. 📁 Archivos Clave Modificados + +| Archivo | Cambio | Ruta | +|---------|--------|------| +| `backend.tf` | Bucket S3 corregido | `terraform/backend.tf` | +| `main.tf` | Lifecycle rules + recursos | `terraform/main.tf` | +| `variables.tf` | Variables nuevas | `terraform/variables.tf` | +| `user-data.sh` | Sudo config para thoth | `terraform/user-data.sh` | +| `bitbucket-pipelines.yml` | OIDC + passphrase | raíz | +| `aws-oidc-setup.sh` | Setup de credenciales | `scripts/aws-oidc-setup.sh` | +| `lambda-scheduler` | Validación de estado | `terraform-sacc4/modules/lambda-scheduler/` | + +--- + +### 9. ✅ Checklist de Verificación + +- [x] Llave SSH con passphrase generada e instalada +- [x] Terraform backend corregido y funcional +- [x] EC2 importada al estado de Terraform +- [x] Lifecycle prevent_destroy agregado +- [x] Permisos sudo configurados para thoth +- [x] Session Manager habilitado +- [x] Lambdas START/STOP corregidas y desplegadas +- [x] EventBridge rules configuradas +- [x] Pipeline Bitbucket con OIDC +- [x] No hay recursos duplicados +- [x] AWS SSO configurado localmente +- [x] Terraform apply exitoso (2 creados, 5 modificados, 0 destruidos) + +--- + +### 10. 🚨 Notas Importantes + +1. **NO ejecutar `terraform destroy`** — los recursos críticos tienen `prevent_destroy` +2. **Las credenciales temporales caducan** — usar `aws sso login` para renovar +3. **Las Lambdas ahora validan estado** — no fallarán por estados inválidos +4. **El scheduling es L-V** — fines de semana no hay acciones automáticas +5. **Backup de estado Terraform** — se mantiene en S3 con versionado + +--- + +*Documento generado automáticamente - Cómputo Contable Soft SA de CV* diff --git a/diagrama-arquitectura-aws.excalidraw b/diagrama-arquitectura-aws.excalidraw new file mode 100644 index 0000000..e3b8fd9 --- /dev/null +++ b/diagrama-arquitectura-aws.excalidraw @@ -0,0 +1,394 @@ +{ + "type": "excalidraw", + "version": 2, + "source": "https://excalidraw.com", + "elements": [ + { + "id": "title", + "type": "text", + "x": 400, + "y": 30, + "width": 500, + "height": 40, + "text": "Arquitectura AWS - Proyectosacc PROD", + "fontSize": 28, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "users", + "type": "rectangle", + "x": 50, + "y": 150, + "width": 150, + "height": 80, + "backgroundColor": "#e7f5ff", + "strokeColor": "#1971c2", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "users_text", + "type": "text", + "x": 60, + "y": 170, + "width": 130, + "height": 40, + "text": "Usuarios\\n(Internet)", + "fontSize": 16, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "route53", + "type": "rectangle", + "x": 300, + "y": 150, + "width": 150, + "height": 80, + "backgroundColor": "#fff3bf", + "strokeColor": "#f08c00", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "route53_text", + "type": "text", + "x": 310, + "y": 165, + "width": 130, + "height": 50, + "text": "Route 53\\nprod-sacc.ccsoft.mx", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "cloudfront", + "type": "rectangle", + "x": 550, + "y": 150, + "width": 180, + "height": 80, + "backgroundColor": "#e7f5ff", + "strokeColor": "#1971c2", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "cloudfront_text", + "type": "text", + "x": 560, + "y": 165, + "width": 160, + "height": 50, + "text": "CloudFront CDN\\nE35SPB389PFV1J", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "s3_frontend", + "type": "rectangle", + "x": 550, + "y": 300, + "width": 180, + "height": 80, + "backgroundColor": "#d3f9d8", + "strokeColor": "#2b8a3e", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "s3_frontend_text", + "type": "text", + "x": 560, + "y": 310, + "width": 160, + "height": 60, + "text": "S3 Frontend\\nccsoft-proyectosacc\\n-frontend-prod", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "ec2", + "type": "rectangle", + "x": 800, + "y": 150, + "width": 200, + "height": 100, + "backgroundColor": "#ffe0e0", + "strokeColor": "#c92a2a", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "ec2_text", + "type": "text", + "x": 810, + "y": 160, + "width": 180, + "height": 80, + "text": "EC2 API Backend\\ni-02428e733083ea877\\n78.13.201.205\\nt3.small", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "rds", + "type": "rectangle", + "x": 800, + "y": 300, + "width": 200, + "height": 80, + "backgroundColor": "#e7f5ff", + "strokeColor": "#1971c2", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "rds_text", + "type": "text", + "x": 810, + "y": 310, + "width": 180, + "height": 60, + "text": "RDS MariaDB\\nproyectosacc-db-prod\\ndb.t3.micro", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "s3_artifacts", + "type": "rectangle", + "x": 550, + "y": 420, + "width": 180, + "height": 80, + "backgroundColor": "#d3f9d8", + "strokeColor": "#2b8a3e", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "s3_artifacts_text", + "type": "text", + "x": 560, + "y": 430, + "width": 160, + "height": 60, + "text": "S3 Artifacts\\nccsoft-proyectosacc\\n-artifacts-prod", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "lambda_start", + "type": "rectangle", + "x": 300, + "y": 300, + "width": 150, + "height": 60, + "backgroundColor": "#ffd43b", + "strokeColor": "#e67700", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "lambda_start_text", + "type": "text", + "x": 310, + "y": 310, + "width": 130, + "height": 40, + "text": "Lambda START\\n8:00 AM L-V", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "lambda_stop", + "type": "rectangle", + "x": 300, + "y": 380, + "width": 150, + "height": 60, + "backgroundColor": "#ffd43b", + "strokeColor": "#e67700", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "lambda_stop_text", + "type": "text", + "x": 310, + "y": 390, + "width": 130, + "height": 40, + "text": "Lambda STOP\\n7:00 PM L-V", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "eventbridge", + "type": "rectangle", + "x": 50, + "y": 330, + "width": 150, + "height": 80, + "backgroundColor": "#f3d9fa", + "strokeColor": "#862e9c", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "eventbridge_text", + "type": "text", + "x": 60, + "y": 340, + "width": 130, + "height": 60, + "text": "EventBridge\\nScheduler\\ncron L-V", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "arrow1", + "type": "arrow", + "x": 200, + "y": 190, + "points": [[0,0], [100,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow2", + "type": "arrow", + "x": 450, + "y": 190, + "points": [[0,0], [100,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow3", + "type": "arrow", + "x": 730, + "y": 190, + "points": [[0,0], [70,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow4", + "type": "arrow", + "x": 900, + "y": 250, + "points": [[0,0], [0,50]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow5", + "type": "arrow", + "x": 640, + "y": 230, + "points": [[0,0], [0,70]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow6", + "type": "arrow", + "x": 640, + "y": 380, + "points": [[0,0], [0,40]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow7", + "type": "arrow", + "x": 200, + "y": 370, + "points": [[0,0], [100,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow8", + "type": "arrow", + "x": 450, + "y": 330, + "points": [[0,0], [100,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow9", + "type": "arrow", + "x": 450, + "y": 410, + "points": [[0,0], [100,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "vpc_box", + "type": "rectangle", + "x": 750, + "y": 120, + "width": 300, + "height": 300, + "backgroundColor": "transparent", + "strokeColor": "#495057", + "strokeWidth": 1, + "fillStyle": "hachure", + "roughness": 1 + }, + { + "id": "vpc_label", + "type": "text", + "x": 850, + "y": 125, + "width": 100, + "height": 20, + "text": "VPC 10.2.0.0/16", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#495057", + "backgroundColor": "transparent" + } + ], + "appState": { + "viewBackgroundColor": "#ffffff", + "gridSize": 20 + }, + "files": {} +} diff --git a/diagrama-pipeline-cicd.excalidraw b/diagrama-pipeline-cicd.excalidraw new file mode 100644 index 0000000..e0d164d --- /dev/null +++ b/diagrama-pipeline-cicd.excalidraw @@ -0,0 +1,431 @@ +{ + "type": "excalidraw", + "version": 2, + "source": "https://excalidraw.com", + "elements": [ + { + "id": "title", + "type": "text", + "x": 300, + "y": 20, + "width": 600, + "height": 40, + "text": "Pipeline CI/CD - Bitbucket to AWS PROD", + "fontSize": 28, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "dev_branch", + "type": "rectangle", + "x": 50, + "y": 120, + "width": 140, + "height": 60, + "backgroundColor": "#a5d8ff", + "strokeColor": "#1971c2", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "dev_branch_text", + "type": "text", + "x": 60, + "y": 130, + "width": 120, + "height": 40, + "text": "Branch\\ndeveloper", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "step1", + "type": "rectangle", + "x": 250, + "y": 120, + "width": 140, + "height": 60, + "backgroundColor": "#d3f9d8", + "strokeColor": "#2b8a3e", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "step1_text", + "type": "text", + "x": 260, + "y": 135, + "width": 120, + "height": 30, + "text": "01_image-setup", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "step2", + "type": "rectangle", + "x": 450, + "y": 120, + "width": 140, + "height": 60, + "backgroundColor": "#d3f9d8", + "strokeColor": "#2b8a3e", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "step2_text", + "type": "text", + "x": 460, + "y": 135, + "width": 120, + "height": 30, + "text": "02_repo-config", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "step3", + "type": "rectangle", + "x": 650, + "y": 120, + "width": 140, + "height": 60, + "backgroundColor": "#d3f9d8", + "strokeColor": "#2b8a3e", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "step3_text", + "type": "text", + "x": 660, + "y": 135, + "width": 120, + "height": 30, + "text": "03_deps", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "step4", + "type": "rectangle", + "x": 850, + "y": 120, + "width": 140, + "height": 60, + "backgroundColor": "#d3f9d8", + "strokeColor": "#2b8a3e", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "step4_text", + "type": "text", + "x": 860, + "y": 135, + "width": 120, + "height": 30, + "text": "04_build", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "step5", + "type": "rectangle", + "x": 250, + "y": 220, + "width": 140, + "height": 60, + "backgroundColor": "#fff3bf", + "strokeColor": "#f08c00", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "step5_text", + "type": "text", + "x": 260, + "y": 235, + "width": 120, + "height": 30, + "text": "05_publish", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "step6", + "type": "rectangle", + "x": 450, + "y": 220, + "width": 140, + "height": 60, + "backgroundColor": "#fff3bf", + "strokeColor": "#f08c00", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "step6_text", + "type": "text", + "x": 460, + "y": 235, + "width": 120, + "height": 30, + "text": "06_install", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "step7", + "type": "rectangle", + "x": 650, + "y": 220, + "width": 140, + "height": 60, + "backgroundColor": "#ffd43b", + "strokeColor": "#e67700", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "step7_text", + "type": "text", + "x": 660, + "y": 235, + "width": 120, + "height": 30, + "text": "07_deploy", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "oidc", + "type": "rectangle", + "x": 850, + "y": 220, + "width": 180, + "height": 80, + "backgroundColor": "#e7f5ff", + "strokeColor": "#1971c2", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "oidc_text", + "type": "text", + "x": 860, + "y": 235, + "width": 160, + "height": 50, + "text": "AWS OIDC\\nAuth automática", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "aws_prod", + "type": "rectangle", + "x": 650, + "y": 340, + "width": 200, + "height": 100, + "backgroundColor": "#ffe0e0", + "strokeColor": "#c92a2a", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "aws_prod_text", + "type": "text", + "x": 660, + "y": 350, + "width": 180, + "height": 80, + "text": "AWS PROD\\nmx-central-1\\nAccount: 523761210517", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "master_branch", + "type": "rectangle", + "x": 50, + "y": 340, + "width": 140, + "height": 60, + "backgroundColor": "#ffc9c9", + "strokeColor": "#c92a2a", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "master_branch_text", + "type": "text", + "x": 60, + "y": 350, + "width": 120, + "height": 40, + "text": "Branch\\nmaster (PROD)", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "merge_arrow", + "type": "arrow", + "x": 120, + "y": 180, + "points": [[0,0], [0,160]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "merge_label", + "type": "text", + "x": 130, + "y": 240, + "width": 100, + "height": 20, + "text": "Merge PR", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "left", + "strokeColor": "#495057", + "backgroundColor": "transparent" + }, + { + "id": "arrow_dev_step1", + "type": "arrow", + "x": 190, + "y": 150, + "points": [[0,0], [60,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow_s1_s2", + "type": "arrow", + "x": 390, + "y": 150, + "points": [[0,0], [60,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow_s2_s3", + "type": "arrow", + "x": 590, + "y": 150, + "points": [[0,0], [60,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow_s3_s4", + "type": "arrow", + "x": 790, + "y": 150, + "points": [[0,0], [60,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow_s4_s5", + "type": "arrow", + "x": 920, + "y": 180, + "points": [[0,0], [0,40], [-570,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow_s5_s6", + "type": "arrow", + "x": 390, + "y": 250, + "points": [[0,0], [60,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow_s6_s7", + "type": "arrow", + "x": 590, + "y": 250, + "points": [[0,0], [60,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow_s7_aws", + "type": "arrow", + "x": 750, + "y": 280, + "points": [[0,0], [0,60]], + "strokeColor": "#c92a2a", + "strokeWidth": 3 + }, + { + "id": "arrow_oidc_aws", + "type": "arrow", + "x": 940, + "y": 300, + "points": [[0,0], [0,40], [-90,0]], + "strokeColor": "#1971c2", + "strokeWidth": 2, + "strokeStyle": "dashed" + }, + { + "id": "legend", + "type": "text", + "x": 50, + "y": 450, + "width": 400, + "height": 120, + "text": "Leyenda:\\n🟦 Azul: Código/branch\\n🟩 Verde: Build steps\\n🟨 Amarillo: Deploy steps\\n🟥 Rojo: Producción/AWS", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "left", + "strokeColor": "#495057", + "backgroundColor": "transparent" + } + ], + "appState": { + "viewBackgroundColor": "#ffffff", + "gridSize": 20 + }, + "files": {} +} diff --git a/diagrama-seguridad-acceso.excalidraw b/diagrama-seguridad-acceso.excalidraw new file mode 100644 index 0000000..eafd5af --- /dev/null +++ b/diagrama-seguridad-acceso.excalidraw @@ -0,0 +1,394 @@ +{ + "type": "excalidraw", + "version": 2, + "source": "https://excalidraw.com", + "elements": [ + { + "id": "title", + "type": "text", + "x": 300, + "y": 20, + "width": 600, + "height": 40, + "text": "Seguridad y Acceso - Proyectosacc PROD", + "fontSize": 28, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "internet", + "type": "ellipse", + "x": 50, + "y": 120, + "width": 120, + "height": 80, + "backgroundColor": "#e7f5ff", + "strokeColor": "#1971c2", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "internet_text", + "type": "text", + "x": 60, + "y": 140, + "width": 100, + "height": 40, + "text": "Internet", + "fontSize": 16, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "cloudfront_box", + "type": "rectangle", + "x": 250, + "y": 120, + "width": 160, + "height": 80, + "backgroundColor": "#e7f5ff", + "strokeColor": "#1971c2", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "cloudfront_text", + "type": "text", + "x": 260, + "y": 135, + "width": 140, + "height": 50, + "text": "CloudFront\\nCDN + WAF", + "fontSize": 14, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "ssh_restricted", + "type": "rectangle", + "x": 250, + "y": 250, + "width": 160, + "height": 80, + "backgroundColor": "#ffc9c9", + "strokeColor": "#c92a2a", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "ssh_restricted_text", + "type": "text", + "x": 260, + "y": 260, + "width": 140, + "height": 60, + "text": "SSH Restringido\\nSolo México IPs\\nPassphrase req.", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#c92a2a", + "backgroundColor": "transparent" + }, + { + "id": "session_manager", + "type": "rectangle", + "x": 450, + "y": 250, + "width": 160, + "height": 80, + "backgroundColor": "#d3f9d8", + "strokeColor": "#2b8a3e", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "session_manager_text", + "type": "text", + "x": 460, + "y": 260, + "width": 140, + "height": 60, + "text": "Session Manager\\nAWS Systems\\nManager", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#2b8a3e", + "backgroundColor": "transparent" + }, + { + "id": "ec2_server", + "type": "rectangle", + "x": 680, + "y": 120, + "width": 200, + "height": 120, + "backgroundColor": "#fff3bf", + "strokeColor": "#f08c00", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "ec2_server_text", + "type": "text", + "x": 690, + "y": 130, + "width": 180, + "height": 100, + "text": "EC2 PROD\\ni-02428e733083ea877\\n78.13.201.205\\nUsuario: thoth\\nSudo: NOPASSWD", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "rds_db", + "type": "rectangle", + "x": 680, + "y": 300, + "width": 200, + "height": 80, + "backgroundColor": "#e7f5ff", + "strokeColor": "#1971c2", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "rds_db_text", + "type": "text", + "x": 690, + "y": 310, + "width": 180, + "height": 60, + "text": "RDS MariaDB\\nproyectosacc-db-prod\\nEncrypted + Backup", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "security_group", + "type": "rectangle", + "x": 930, + "y": 120, + "width": 180, + "height": 100, + "backgroundColor": "#f3d9fa", + "strokeColor": "#862e9c", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "security_group_text", + "type": "text", + "x": 940, + "y": 130, + "width": 160, + "height": 80, + "text": "Security Groups\\n✓ Puerto 80/443\\n✓ Puerto 8080-8085\\n✗ SSH 0.0.0.0/0", + "fontSize": 11, + "fontFamily": 5, + "textAlign": "left", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "iam_role", + "type": "rectangle", + "x": 930, + "y": 250, + "width": 180, + "height": 80, + "backgroundColor": "#ffd43b", + "strokeColor": "#e67700", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "iam_role_text", + "type": "text", + "x": 940, + "y": 260, + "width": 160, + "height": 60, + "text": "IAM Roles\\nEC2 Role\\nSSM Permissions\\nS3 Access", + "fontSize": 11, + "fontFamily": 5, + "textAlign": "left", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "bitbucket_pipeline", + "type": "rectangle", + "x": 50, + "y": 400, + "width": 180, + "height": 80, + "backgroundColor": "#a5d8ff", + "strokeColor": "#1971c2", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "bitbucket_pipeline_text", + "type": "text", + "x": 60, + "y": 410, + "width": 160, + "height": 60, + "text": "Bitbucket Pipeline\\nOIDC Auth\\nAuto-deploy", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent" + }, + { + "id": "oidc_auth", + "type": "rectangle", + "x": 300, + "y": 400, + "width": 160, + "height": 80, + "backgroundColor": "#d3f9d8", + "strokeColor": "#2b8a3e", + "strokeWidth": 2, + "fillStyle": "solid" + }, + { + "id": "oidc_auth_text", + "type": "text", + "x": 310, + "y": 410, + "width": 140, + "height": 60, + "text": "AWS SSO/OIDC\\nNo credentials\\nAutomatic", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#2b8a3e", + "backgroundColor": "transparent" + }, + { + "id": "arrow_internet_cf", + "type": "arrow", + "x": 170, + "y": 160, + "points": [[0,0], [80,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow_cf_ec2", + "type": "arrow", + "x": 410, + "y": 160, + "points": [[0,0], [70,0]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow_ssh_ec2", + "type": "arrow", + "x": 410, + "y": 290, + "points": [[0,0], [270,0]], + "strokeColor": "#c92a2a", + "strokeWidth": 2, + "strokeStyle": "dashed" + }, + { + "id": "arrow_ssm_ec2", + "type": "arrow", + "x": 610, + "y": 290, + "points": [[0,0], [70,0]], + "strokeColor": "#2b8a3e", + "strokeWidth": 2, + "strokeStyle": "dashed" + }, + { + "id": "arrow_ec2_rds", + "type": "arrow", + "x": 780, + "y": 240, + "points": [[0,0], [0,60]], + "strokeColor": "#495057", + "strokeWidth": 2 + }, + { + "id": "arrow_bb_oidc", + "type": "arrow", + "x": 230, + "y": 440, + "points": [[0,0], [70,0]], + "strokeColor": "#2b8a3e", + "strokeWidth": 2 + }, + { + "id": "arrow_oidc_aws", + "type": "arrow", + "x": 460, + "y": 440, + "points": [[0,0], [220,0]], + "strokeColor": "#2b8a3e", + "strokeWidth": 2, + "strokeStyle": "dashed" + }, + { + "id": "prevent_destroy_label", + "type": "text", + "x": 680, + "y": 420, + "width": 200, + "height": 60, + "text": "🛡️ Lifecycle:\\nprevent_destroy = true", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#2b8a3e", + "backgroundColor": "transparent" + }, + { + "id": "ssh_label", + "type": "text", + "x": 330, + "y": 340, + "width": 200, + "height": 30, + "text": "❌ Cerrado por defecto", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#c92a2a", + "backgroundColor": "transparent" + }, + { + "id": "ssm_label", + "type": "text", + "x": 520, + "y": 340, + "width": 200, + "height": 30, + "text": "✅ Acceso recomendado", + "fontSize": 12, + "fontFamily": 5, + "textAlign": "center", + "strokeColor": "#2b8a3e", + "backgroundColor": "transparent" + } + ], + "appState": { + "viewBackgroundColor": "#ffffff", + "gridSize": 20 + }, + "files": {} +}