feat(iam): implementa autenticación OIDC entre Bitbucket Pipelines y AWS

- Agrega aws_iam_openid_connect_provider y roles IAM para DEV/PROD - Actualiza bitbucket-pipelines.yml para usar OIDC en steps 03, 05, 07 - Crea script helper scripts/aws-oidc-setup.sh - Agrega provider tls en terraform/provider.tf - Documenta el flujo completo en docs/14-oidc-bitbucket-aws.md Elimina la dependencia de AWS_ACCESS_KEY_ID y AWS_SECRET_ACCESS_KEY estáticos en el pipeline, permitiendo autenticación sin credenciales de larga vida via AssumeRoleWithWebIdentity. Refs: cuenta DEV 668889063715, PROD 523761210517
2026-04-15 12:50:31 -06:00
parent bc3ff913cf
commit 744c5d1413
5 changed files with 533 additions and 4 deletions
@@ -0,0 +1,42 @@
+#!/bin/bash
+# ===============================================================================================================
+# aws-oidc-setup.sh - Configura credenciales AWS via OIDC para Bitbucket Pipelines
+# Descripción:
+#       Exporta las variables necesarias para que AWS CLI y Terraform usen
+#       el token OIDC de Bitbucket y asuman el rol IAM correspondiente.
+#
+# Uso:
+#       source scripts/aws-oidc-setup.sh <dev|prod>
+#
+# Requiere:
+#       - El step de bitbucket-pipelines.yml debe tener "oidc: true"
+#       - AWS CLI moderno que soporte AWS_WEB_IDENTITY_TOKEN_FILE
+# ===============================================================================================================
+
+set -euo pipefail
+
+ENV="${1:-dev}"
+
+if [[ -z "${BITBUCKET_STEP_OIDC_TOKEN:-}" ]]; then
+  echo "ERROR: BITBUCKET_STEP_OIDC_TOKEN no está definido."
+  echo "Asegúrate de agregar 'oidc: true' al step en bitbucket-pipelines.yml"
+  exit 1
+fi
+
+export AWS_WEB_IDENTITY_TOKEN_FILE="$(pwd)/web-identity-token"
+printf '%s' "${BITBUCKET_STEP_OIDC_TOKEN}" > "${AWS_WEB_IDENTITY_TOKEN_FILE}"
+
+if [[ "$ENV" == "prod" ]]; then
+  export AWS_ROLE_ARN="arn:aws:iam::523761210517:role/BitbucketProyectosaccCICDRoleProd"
+else
+  export AWS_ROLE_ARN="arn:aws:iam::668889063715:role/BitbucketProyectosaccCICDRoleDev"
+fi
+
+export AWS_DEFAULT_REGION="mx-central-1"
+
+echo "=== AWS OIDC Setup ==="
+echo "Ambiente : $ENV"
+echo "Role ARN : $AWS_ROLE_ARN"
+echo "Region   : $AWS_DEFAULT_REGION"
+echo "Token file: $AWS_WEB_IDENTITY_TOKEN_FILE"
+echo "======================"