feat(ci): integra Terraform en pipeline de Bitbucket Pipelines

- Agrega paso 03_terraform para DEV y PROD con init, plan y apply - Crea backend.dev.hcl para configuración explícita de estado DEV - Refactoriza Route53/ACM en main.tf para soportar PROD cross-account usando count condicional sin romper estado de DEV - Descomenta provider aws.route53 en provider.tf - Añade domain_name faltante en prod.tfvars y confirma dev.tfvars - Corrige output route53_record para recursos con count - Elimina errored.tfstate corrupto local - Incluye permiso sts:AssumeRole en IAM policy para Route53 cross-account
2026-04-14 19:40:57 -06:00
parent 3fe8cb1391
commit cbea3e932b
8 changed files with 128 additions and 26 deletions
@@ -0,0 +1,5 @@
+bucket         = "ccsoft-terraform-state"
+key            = "proyectosacc/terraform.tfstate"
+region         = "mx-central-1"
+encrypt        = true
+dynamodb_table = "terraform-locks"
@@ -21,4 +21,5 @@ db_username            = "sacc_admin_dev"
 db_password            = "<cambiar-por-secret-real>"
 s3_frontend_bucket     = "ccsoft-proyectosacc-frontend-dev"
 s3_artifacts_bucket    = "ccsoft-proyectosacc-artifacts-dev"
+domain_name            = "dev-sacc.ccsoft.mx"
 cloudfront_price_class = "PriceClass_100"
@@ -21,4 +21,5 @@ db_username            = "sacc_admin_prod"
 db_password            = "<cambiar-por-secret-real>"
 s3_frontend_bucket     = "ccsoft-proyectosacc-frontend-prod"
 s3_artifacts_bucket    = "ccsoft-proyectosacc-artifacts-prod"
+domain_name            = "sacc.ccsoft.mx"
 cloudfront_price_class = "PriceClass_100"
@@ -445,38 +445,64 @@ resource "aws_acm_certificate" "main" {
 }

 resource "aws_route53_record" "cert_validation" {
-  for_each = {
-    for dvo in aws_acm_certificate.main.domain_validation_options : dvo.domain_name => {
-      name   = dvo.resource_record_name
-      record = dvo.resource_record_value
-      type   = dvo.resource_record_type
-    }
-  }
-
+  count           = var.environment != "prod" ? 1 : 0
  allow_overwrite = true
-  name            = each.value.name
-  records         = [each.value.record]
+  name            = tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_name
+  records         = [tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_value]
  ttl             = 60
-  type            = each.value.type
-  zone_id         = data.aws_route53_zone.main.zone_id
+  type            = tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_type
+  zone_id         = local.route53_zone_id
+}
+
+resource "aws_route53_record" "cert_validation_prod" {
+  provider        = aws.route53
+  count           = var.environment == "prod" ? 1 : 0
+  allow_overwrite = true
+  name            = tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_name
+  records         = [tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_value]
+  ttl             = 60
+  type            = tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_type
+  zone_id         = local.route53_zone_id
 }

 resource "aws_acm_certificate_validation" "main" {
  provider                = aws.us_east_1
  certificate_arn         = aws_acm_certificate.main.arn
-  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
+  validation_record_fqdns = local.cert_validation_fqdns
 }

 # -------------------------------------------------------------------------------
 # Route 53
 # -------------------------------------------------------------------------------
 data "aws_route53_zone" "main" {
-  name         = "ccsoft.mx"
+  count        = var.environment != "prod" ? 1 : 0
+  name         = var.domain_name
  private_zone = false
 }

+data "aws_route53_zone" "main_prod" {
+  provider     = aws.route53
+  count        = var.environment == "prod" ? 1 : 0
+  name         = var.domain_name
+  private_zone = false
+}
+
+locals {
+  route53_zone_id = coalesce(
+    try(data.aws_route53_zone.main[0].zone_id, ""),
+    try(data.aws_route53_zone.main_prod[0].zone_id, "")
+  )
+
+  cert_validation_fqdns = compact(try(
+    [aws_route53_record.cert_validation[0].fqdn],
+    [aws_route53_record.cert_validation_prod[0].fqdn],
+    []
+  ))
+}
+
 resource "aws_route53_record" "main" {
-  zone_id = data.aws_route53_zone.main.zone_id
+  count   = var.environment != "prod" ? 1 : 0
+  zone_id = local.route53_zone_id
  name    = var.domain_name
  type    = "A"

@@ -487,6 +513,20 @@ resource "aws_route53_record" "main" {
  }
 }

+resource "aws_route53_record" "main_prod" {
+  provider = aws.route53
+  count    = var.environment == "prod" ? 1 : 0
+  zone_id  = local.route53_zone_id
+  name     = var.domain_name
+  type     = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.main.domain_name
+    zone_id                = aws_cloudfront_distribution.main.hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+
 # -------------------------------------------------------------------------------
 # CloudFront Distribution
 # -------------------------------------------------------------------------------
@@ -43,7 +43,7 @@ output "cloudfront_distribution_id" {

 output "route53_record" {
  description = "Registro DNS creado en Route 53"
-  value       = aws_route53_record.main.name
+  value       = try(aws_route53_record.main[0].name, aws_route53_record.main_prod[0].name, "")
 }

 output "acm_certificate_arn" {
@@ -45,3 +45,22 @@ provider "aws" {
    }
  }
 }
+
+# Provider para Route 53 en cuenta cross-account (262270938827)
+# Solo se usa en PROD mediante count condicional en los recursos de Route 53.
+provider "aws" {
+  alias  = "route53"
+  region = "us-east-1"
+
+  assume_role {
+    role_arn = "arn:aws:iam::262270938827:role/Route53ProyectosaccCrossAccountRole"
+  }
+
+  default_tags {
+    tags = {
+      Project     = var.project_name
+      ManagedBy   = "terraform"
+      Environment = var.environment
+    }
+  }
+}