feat(pipeline): Add SSH key rotation, health checks, and manual approval

Security & Operations Improvements:
- Add step 06_update_ssh_keys to rotate authorized_keys on EC2
  before each deployment, ensuring only current pipeline can access
- Add step 09_health_check with retry logic (12 retries, 10s interval)
  verifying API backend (/actuator/health), CloudFront, and RDS
- Add manual approval (trigger: manual) for production deployment
  with terraform plan saved as artifact (prod.tfplan)
- Document terraform auto-approve policy: dev automatic, prod manual
- Use DEV_DB_HOST and PROD_DB_HOST variables for RDS connectivity checks
- Reorder steps: 7 steps → 9 steps standard CCsoft pipeline

Closes pipeline security gaps and adds post-deploy verification.

terraform/main.tf

@@ -116,12 +116,16 @@ resource "aws_security_group" "ec2_api" {
   vpc_id      = aws_vpc.main.id
   description = "Security Group para la API backend de ${var.project_name}"
 
+  # NOTA DE SEGURIDAD: Acceso SSH controlado EXCLUSIVAMENTE por llaves SSH
+  # administradas por el pipeline CI/CD (key-based auth), NO por restricción de IP.
+  # El pipeline inyecta y rota las llaves públicas en authorized_keys del usuario thoth.
+  # Considerar migrar a AWS Systems Manager Session Manager para eliminar acceso SSH directo.
   ingress {
-    description = "SSH desde IPs confiables"
+    description = "SSH - Acceso controlado por llaves CI/CD (no por IP)"
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"] # SSH desde cualquier IP (pipeline Bitbucket + administración)
+    cidr_blocks = ["0.0.0.0/0"]
   }
 
   ingress {