The previous script only exported AWS_WEB_IDENTITY_TOKEN_FILE and
AWS_ROLE_ARN, expecting AWS CLI/Terraform to pick them up automatically.
However, Terraform's S3 backend does not use these variables implicitly.
Now we explicitly call 'aws sts assume-role-with-web-identity',
parse the JSON response, and export the temporary credentials:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_SESSION_TOKEN
Also exports AWS_REGION for Terraform S3 backend compatibility.
Fixes pipeline failure in step 03_terraform with:
InvalidIdentityToken: Incorrect token audience
Removes cloning of ccsoft1/ci-cd-commons and ccsoft1/ci-cd-saac4
from both developer and master branch pipelines. proyectosacc is now
self-contained with local scripts and terraform code.
Switch PROD DNS from cross-account Route 53 management to a delegated
subdomain in the PROD AWS account (523761210517).
Changes:
- prod.tfvars: domain_name changed to prod-sacc.ccsoft.mx
- provider.tf: removed aws.route53 cross-account provider
- main.tf: removed prod-specific Route 53 resources and data sources;
cert_validation and main records now use default provider for all envs
- outputs.tf: removed indexed references to main_prod resource
- Agrega paso 06b_notify_approval para notificar por Telegram cuando el pipeline espera aprobación manual
- Configura 07_deploy con deployment: production y trigger: manual
- Actualiza mensaje final de Telegram para indicar que el deploy fue aprobado y completado
- Crea scripts/telegram-pipeline-notify.sh con detalles de branch, commit, build y autor
- Actualiza bitbucket-pipelines.yml para usar notificaciones locales en todos los ambientes
- Corrige bug donde 01_image-setup referenciaba ci-cd-commons antes de clonarlo
- Usa formato MarkdownV2 para mensajes en Telegram
- Agrega aws_iam_openid_connect_provider y roles IAM para DEV/PROD
- Actualiza bitbucket-pipelines.yml para usar OIDC en steps 03, 05, 07
- Crea script helper scripts/aws-oidc-setup.sh
- Agrega provider tls en terraform/provider.tf
- Documenta el flujo completo en docs/14-oidc-bitbucket-aws.md
Elimina la dependencia de AWS_ACCESS_KEY_ID y AWS_SECRET_ACCESS_KEY
estáticos en el pipeline, permitiendo autenticación sin credenciales
de larga vida via AssumeRoleWithWebIdentity.
Refs: cuenta DEV 668889063715, PROD 523761210517
- Agrega paso 03_terraform para DEV y PROD con init, plan y apply
- Crea backend.dev.hcl para configuración explícita de estado DEV
- Refactoriza Route53/ACM en main.tf para soportar PROD cross-account
usando count condicional sin romper estado de DEV
- Descomenta provider aws.route53 en provider.tf
- Añade domain_name faltante en prod.tfvars y confirma dev.tfvars
- Corrige output route53_record para recursos con count
- Elimina errored.tfstate corrupto local
- Incluye permiso sts:AssumeRole en IAM policy para Route53 cross-account
- Use DEV_S3_ARTIFACTS_BUCKET and PROD_S3_ARTIFACTS_BUCKET in 06_install
instead of generic S3_ARTIFACTS_BUCKET to prevent cross-env reads
- Add terraform/environments/*.tfvars to .gitignore to prevent secret leaks
- Update prod backend state bucket name to proyectosacc-specific bucket
- Add CI/CD credential policy documentation
Aligns bitbucket-pipelines.yml with CCsoft CI/CD convention
<Env>_S3_FRONTEND_BUCKET and <Env>_S3_ARTIFACTS_BUCKET.
Branches already use master/developer.
Evert Daniel Romero Garrido