labadmin/proyectosacc-mirror
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(iam): implementa autenticación OIDC entre Bitbucket Pipelines y AWS

Browse Source 
- Agrega aws_iam_openid_connect_provider y roles IAM para DEV/PROD
- Actualiza bitbucket-pipelines.yml para usar OIDC en steps 03, 05, 07
- Crea script helper scripts/aws-oidc-setup.sh
- Agrega provider tls en terraform/provider.tf
- Documenta el flujo completo en docs/14-oidc-bitbucket-aws.md

Elimina la dependencia de AWS_ACCESS_KEY_ID y AWS_SECRET_ACCESS_KEY
estáticos en el pipeline, permitiendo autenticación sin credenciales
de larga vida via AssumeRoleWithWebIdentity.

Refs: cuenta DEV 668889063715, PROD 523761210517
This commit is contained in:
Evert Daniel Romero Garrido
2026-04-15 12:50:31 -06:00
parent bc3ff913cf
commit 744c5d1413
5 changed files with 533 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bitbucket-pipelines.yml
+17 -4
View File
@@ -9,6 +9,11 @@
image: atlassian/default-image:5
options:
oidc:
audiences:
- sts.amazonaws.com
definitions:
steps:
- step: &notify-start
@@ -60,15 +65,15 @@ pipelines:
- step:
name: 03_terraform
oidc: true
script:
- set -euo pipefail
- source scripts/aws-oidc-setup.sh dev
- cd terraform
- wget -q "https://releases.hashicorp.com/terraform/1.11.4/terraform_1.11.4_linux_amd64.zip"
- unzip -q terraform_1.11.4_linux_amd64.zip
- mv terraform /usr/local/bin/terraform
- terraform version
- export AWS_ACCESS_KEY_ID="${DEV_AWS_ACCESS_KEY_ID}"
- export AWS_SECRET_ACCESS_KEY="${DEV_AWS_SECRET_ACCESS_KEY}"
- export AWS_DEFAULT_REGION="${AWS_DEFAULT_REGION:-mx-central-1}"
- terraform init -backend-config=backend.dev.hcl
- terraform plan -var-file=environments/dev.tfvars -var="db_password=${DEV_DB_PASSWORD}" -out=dev.tfplan
@@ -91,8 +96,10 @@ pipelines:
- step:
name: 05_publish
oidc: true
script:
- set -euo pipefail
- source scripts/aws-oidc-setup.sh dev
- aws s3 sync build/ "s3://${DEV_S3_FRONTEND_BUCKET}/" --delete
- aws s3 cp build/libs/*.jar "s3://${DEV_S3_ARTIFACTS_BUCKET}/develop/proyectosacc-app.jar"
@@ -111,8 +118,10 @@ pipelines:
- step:
name: 07_deploy
oidc: true
script:
- set -euo pipefail
- source scripts/aws-oidc-setup.sh dev
- echo "${DEV_SSH_PRIVATE_KEY_THOTH_PROYECTOSACC}" | base64 -d > ~/.ssh/sacc4_key
- chmod 600 ~/.ssh/sacc4_key
- |
@@ -148,15 +157,15 @@ pipelines:
- step:
name: 03_terraform
oidc: true
script:
- set -euo pipefail
- source scripts/aws-oidc-setup.sh prod
- cd terraform
- wget -q "https://releases.hashicorp.com/terraform/1.11.4/terraform_1.11.4_linux_amd64.zip"
- unzip -q terraform_1.11.4_linux_amd64.zip
- mv terraform /usr/local/bin/terraform
- terraform version
- export AWS_ACCESS_KEY_ID="${PROD_AWS_ACCESS_KEY_ID}"
- export AWS_SECRET_ACCESS_KEY="${PROD_AWS_SECRET_ACCESS_KEY}"
- export AWS_DEFAULT_REGION="${AWS_DEFAULT_REGION:-mx-central-1}"
- terraform init -backend-config=backend.prod.hcl
- terraform plan -var-file=environments/prod.tfvars -var="db_password=${PROD_DB_PASSWORD}" -out=prod.tfplan
@@ -179,8 +188,10 @@ pipelines:
- step:
name: 05_publish
oidc: true
script:
- set -euo pipefail
- source scripts/aws-oidc-setup.sh prod
- aws s3 sync build/ "s3://${PROD_S3_FRONTEND_BUCKET}/" --delete
- aws s3 cp build/libs/*.jar "s3://${PROD_S3_ARTIFACTS_BUCKET}/main/proyectosacc-app.jar"
@@ -199,8 +210,10 @@ pipelines:
- step:
name: 07_deploy
oidc: true
script:
- set -euo pipefail
- source scripts/aws-oidc-setup.sh prod
- echo "${PROD_SSH_PRIVATE_KEY_THOTH_PROYECTOSACC}" | base64 -d > ~/.ssh/sacc4_key
- chmod 600 ~/.ssh/sacc4_key
- |