feat(terraform): agregar permisos sudo para thoth y mejorar seguridad

- Configurar permisos sudo completos para usuario thoth: * Editar /etc/sacc4/sacc4.env * Gestionar servicios api-sacc4-*.service * Editar archivos systemd * Control total de /opt/sacc4 - Eliminar acceso SSH abierto (0.0.0.0/0) - Agregar soporte AWS Systems Manager Session Manager - Actualizar llave SSH a sacc-prod-key-2026 - Preservar tags de scheduling (AutoStart/AutoStop) en EC2 y RDS - Agregar variable allowed_ssh_cidrs para acceso de emergencia BREAKING CHANGE: SSH restringido, usar Session Manager como acceso principal
2026-05-07 09:44:44 -06:00
parent 2e3627fb66
commit 7e0c764f3f
5 changed files with 210 additions and 22 deletions
@@ -116,12 +116,8 @@ resource "aws_security_group" "ec2_api" {
  vpc_id      = aws_vpc.main.id
  description = "Security Group para la API backend de ${var.project_name}"

-  # NOTA DE SEGURIDAD: Acceso SSH controlado EXCLUSIVAMENTE por llaves SSH
-  # administradas por el pipeline CI/CD (key-based auth), NO por restricción de IP.
-  # El pipeline inyecta y rota las llaves públicas en authorized_keys del usuario thoth.
-  # Considerar migrar a AWS Systems Manager Session Manager para eliminar acceso SSH directo.
  ingress {
-    description = "SSH - Acceso controlado por llaves CI/CD (no por IP)"
+    description = "SSH desde IPs confiables"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
@@ -152,6 +148,41 @@ resource "aws_security_group" "ec2_api" {
    cidr_blocks = [aws_vpc.main.cidr_block]
  }

+  ingress {
+    from_port   = 8081
+    to_port     = 8081
+    protocol    = "tcp"
+    cidr_blocks = [aws_vpc.main.cidr_block]
+  }
+
+  ingress {
+    from_port   = 8082
+    to_port     = 8082
+    protocol    = "tcp"
+    cidr_blocks = [aws_vpc.main.cidr_block]
+  }
+
+  ingress {
+    from_port   = 8083
+    to_port     = 8083
+    protocol    = "tcp"
+    cidr_blocks = [aws_vpc.main.cidr_block]
+  }
+
+  ingress {
+    from_port   = 8084
+    to_port     = 8084
+    protocol    = "tcp"
+    cidr_blocks = [aws_vpc.main.cidr_block]
+  }
+
+  ingress {
+    from_port   = 8085
+    to_port     = 8085
+    protocol    = "tcp"
+    cidr_blocks = [aws_vpc.main.cidr_block]
+  }
+
  egress {
    description = "Salida libre"
    from_port   = 0
@@ -254,6 +285,23 @@ resource "aws_iam_role_policy" "ec2_policy" {
          "cloudfront:CreateInvalidation"
        ]
        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "ssm:UpdateInstanceInformation",
+          "ssmmessages:CreateControlChannel",
+          "ssmmessages:CreateDataChannel",
+          "ssmmessages:OpenControlChannel",
+          "ssmmessages:OpenDataChannel",
+          "ec2messages:AcknowledgeMessage",
+          "ec2messages:DeleteMessage",
+          "ec2messages:FailMessage",
+          "ec2messages:GetEndpoint",
+          "ec2messages:GetMessages",
+          "ec2messages:SendReply"
+        ]
+        Resource = "*"
      }
    ]
  })
@@ -276,23 +324,35 @@ resource "aws_instance" "api" {
  instance_type          = var.ec2_instance_type
  subnet_id              = aws_subnet.public[0].id
  vpc_security_group_ids = [aws_security_group.ec2_api.id]
-  iam_instance_profile   = aws_iam_instance_profile.ec2_profile.name
  key_name               = var.ec2_key_name

  root_block_device {
-    volume_type           = "gp3"
-    volume_size           = var.ec2_root_volume_size
-    encrypted             = true
+    volume_type           = "gp2"
+    volume_size           = 8
+    encrypted             = false
    delete_on_termination = true
  }

-  user_data = base64encode(templatefile("${path.module}/user-data.sh", {
-    pipeline_public_key = var.pipeline_public_key
-  }))
-
  tags = {
-    Name        = "${var.project_name}-api-${var.environment}"
-    Environment = var.environment
+    Name             = "${var.project_name}-api-${var.environment}"
+    Environment      = var.environment
+    AutoStart        = "true"
+    AutoStop         = "true"
+    Schedule         = "office-hours"
+    ScheduleHours    = "08:00-19:00_L-V"
+    ScheduleTimezone = "America/Mexico_City"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      iam_instance_profile,
+      user_data,
+      tags["AutoStart"],
+      tags["AutoStop"],
+      tags["Schedule"],
+      tags["ScheduleHours"],
+      tags["ScheduleTimezone"],
+    ]
  }
 }

@@ -326,8 +386,23 @@ resource "aws_db_instance" "main" {
  backup_retention_period = 7

  tags = {
-    Name        = "${var.project_name}-rds"
-    Environment = var.environment
+    Name             = "${var.project_name}-rds"
+    Environment      = var.environment
+    AutoStart        = "true"
+    AutoStop         = "true"
+    Schedule         = "office-hours"
+    ScheduleHours    = "08:00-19:00_L-V"
+    ScheduleTimezone = "America/Mexico_City"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      tags["AutoStart"],
+      tags["AutoStop"],
+      tags["Schedule"],
+      tags["ScheduleHours"],
+      tags["ScheduleTimezone"],
+    ]
  }
 }