feat(terraform): agregar permisos sudo para thoth y mejorar seguridad

- Configurar permisos sudo completos para usuario thoth:
  * Editar /etc/sacc4/sacc4.env
  * Gestionar servicios api-sacc4-*.service
  * Editar archivos systemd
  * Control total de /opt/sacc4
- Eliminar acceso SSH abierto (0.0.0.0/0)
- Agregar soporte AWS Systems Manager Session Manager
- Actualizar llave SSH a sacc-prod-key-2026
- Preservar tags de scheduling (AutoStart/AutoStop) en EC2 y RDS
- Agregar variable allowed_ssh_cidrs para acceso de emergencia

BREAKING CHANGE: SSH restringido, usar Session Manager como acceso principal

bitbucket-pipelines.yml

@@ -315,7 +315,7 @@ pipelines:
           name: 01_image-setup
           script:
             - set -euo pipefail
-            - apt-get update -y && apt-get install -y openssh-client openjdk-21-jdk wget unzip curl
+            - apt-get update -y && apt-get install -y openssh-client openjdk-21-jdk wget unzip curl expect
             - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
             - unzip -q awscliv2.zip
             - ./aws/install
@@ -324,6 +324,14 @@ pipelines:
             - echo "${SSH_PRIVATE_KEY_THOTH}"  > ~/.ssh/sacc4_key
             - chmod 600 ~/.ssh/sacc4_key
             - ssh-keyscan -p "22" "${PROD_INSTANCE_IP}" >> ~/.ssh/known_hosts 2>/dev/null || true
+            - eval "$(ssh-agent -s)"
+            - |
+              expect -c "
+                spawn ssh-add ~/.ssh/sacc4_key
+                expect \"Enter passphrase\"
+                send \"${SSH_PASSPHRASE_THOTH}\r\"
+                expect eof
+              "
             - export TELEGRAM_BOT_TOKEN="${PROD_TELEGRAM_BOT_TOKEN}"
             - export TELEGRAM_CHAT_ID="${PROD_TELEGRAM_CHAT_ID}"
             - bash scripts/telegram-pipeline-notify.sh start
@@ -423,9 +431,18 @@ pipelines:
           name: 06_update_ssh_keys
           script:
             - set -euo pipefail
+            - apt-get update -y && apt-get install -y expect
             - mkdir -p ~/.ssh
             - echo "${SSH_PRIVATE_KEY_THOTH}"  > ~/.ssh/sacc4_key
             - chmod 600 ~/.ssh/sacc4_key
+            - eval "$(ssh-agent -s)"
+            - |
+              expect -c "
+                spawn ssh-add ~/.ssh/sacc4_key
+                expect \"Enter passphrase\"
+                send \"${SSH_PASSPHRASE_THOTH}\r\"
+                expect eof
+              "
             # Actualizar authorized_keys del usuario thoth con la llave pública del pipeline
             # Esto asegura que solo el pipeline actual pueda acceder, rotando llaves automáticamente
             - |
@@ -441,7 +458,7 @@ pipelines:
           name: 07_install
           script:
             - set -euo pipefail
-            - apt-get update -y && apt-get install -y curl unzip
+            - apt-get update -y && apt-get install -y curl unzip expect
             - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
             - unzip -q awscliv2.zip
             - ./aws/install
@@ -455,8 +472,16 @@ pipelines:
               fi
               if [ "${HAS_LOCAL_JAR}" = "true" ]; then
                 echo "INFO: Artefacto JAR encontrado localmente. Procediendo con instalación en servidor."
+                mkdir -p ~/.ssh
                 echo "${SSH_PRIVATE_KEY_THOTH}"  > ~/.ssh/sacc4_key
                 chmod 600 ~/.ssh/sacc4_key
+                eval "$(ssh-agent -s)"
+                expect -c "
+                  spawn ssh-add ~/.ssh/sacc4_key
+                  expect \"Enter passphrase\"
+                  send \"${SSH_PASSPHRASE_THOTH}\r\"
+                  expect eof
+                "
                 ssh -p "22" \
                   -i ~/.ssh/sacc4_key \
                   -o StrictHostKeyChecking=no \
@@ -483,7 +508,7 @@ pipelines:
           trigger: manual
           script:
             - set -euo pipefail
-            - apt-get update -y && apt-get install -y curl unzip
+            - apt-get update -y && apt-get install -y curl unzip expect
             - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
             - unzip -q awscliv2.zip
             - ./aws/install
@@ -501,6 +526,14 @@ pipelines:
               fi
             - echo "${SSH_PRIVATE_KEY_THOTH}"  > ~/.ssh/sacc4_key
             - chmod 600 ~/.ssh/sacc4_key
+            - eval "$(ssh-agent -s)"
+            - |
+              expect -c "
+                spawn ssh-add ~/.ssh/sacc4_key
+                expect \"Enter passphrase\"
+                send \"${SSH_PASSPHRASE_THOTH}\r\"
+                expect eof
+              "
             - |
               ssh -p "22" \
                 -i ~/.ssh/sacc4_key \