labadmin/proyectosacc-mirror
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
26 Commits 1 Branch 0 Tags
6652b66662f79525d0b41808b675ce7880a256d9
Commit Graph

26 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Evert Daniel Romero Garrido 6652b66662 Merge developer into master: OIDC fixes and backend region validation 2026-04-16 14:00:19 -06:00
Evert Daniel Romero Garrido dd2f31ec2a fix(pipeline): corregir OIDC token handling y backend region validation 
- Escribe BITBUCKET_STEP_OIDC_TOKEN a archivo temporal para evitar
  OSError: File name too long en el decoder JWT
- Python lee token via stdin en lugar de pasar JWT como filename
- Agrega skip_region_validation = true en backend.dev.hcl y backend.prod.hcl
  para compatibilidad con mx-central-1
 2026-04-16 13:37:36 -06:00
Evert Daniel Romero Garrido b338e68852 fix: revert step-level oidc to simple true for parsing compatibility 2026-04-16 13:06:54 -06:00
Evert Daniel Romero Garrido 7f8f531172 fix: move oidc audiences to options and step level per Atlassian docs 2026-04-16 12:30:51 -06:00
Evert Daniel Romero Garrido 40552bb5c7 fix: corregir lectura del token OIDC en aws-oidc-setup.sh 2026-04-16 12:12:36 -06:00
Evert Daniel Romero Garrido 1ab595aa83 fix: corregir lectura del token OIDC en aws-oidc-setup.sh 2026-04-16 12:12:26 -06:00
Evert Daniel Romero Garrido 675c55275b fix: mover oidc audiences a definitions para corregir Incorrect token audience 2026-04-16 12:06:00 -06:00
Evert Daniel Romero Garrido c9c34a4328 fix: mover oidc audiences a definitions para corregir Incorrect token audience 2026-04-16 12:05:49 -06:00
Evert Daniel Romero Garrido 65cc3b576b debug(oidc): print decoded JWT payload to diagnose audience mismatch 2026-04-16 11:58:22 -06:00
Evert Daniel Romero Garrido 4791fdcae6 debug(oidc): print decoded JWT payload to diagnose audience mismatch 2026-04-16 11:58:19 -06:00
Evert Daniel Romero Garrido 18b436e582 fix(oidc): install AWS CLI v2 inside aws-oidc-setup.sh if missing 2026-04-16 11:42:54 -06:00
Evert Daniel Romero Garrido ec40b94795 fix(oidc): explicit STS assume-role for Terraform S3 backend compatibility 
The previous script only exported AWS_WEB_IDENTITY_TOKEN_FILE and
AWS_ROLE_ARN, expecting AWS CLI/Terraform to pick them up automatically.
However, Terraform's S3 backend does not use these variables implicitly.

Now we explicitly call 'aws sts assume-role-with-web-identity',
parse the JSON response, and export the temporary credentials:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_SESSION_TOKEN

Also exports AWS_REGION for Terraform S3 backend compatibility.

Fixes pipeline failure in step 03_terraform with:
InvalidIdentityToken: Incorrect token audience
 2026-04-16 11:20:59 -06:00
Evert Daniel Romero Garrido e21fddf41b fix(pipeline): remove obsolete 02_repo-config step cloning non-existent repos 
Removes cloning of ccsoft1/ci-cd-commons and ccsoft1/ci-cd-saac4

from both developer and master branch pipelines. proyectosacc is now

self-contained with local scripts and terraform code.
 2026-04-16 11:00:24 -06:00
Evert Daniel Romero Garrido 0be9efe1b3 fix(ci): install AWS CLI v2 manually on Ubuntu 24.04 2026-04-16 10:39:43 -06:00
Evert Daniel Romero Garrido ce22f776ff feat(dns): simplify PROD Route 53 by using prod-sacc.ccsoft.mx directly 
Switch PROD DNS from cross-account Route 53 management to a delegated
subdomain in the PROD AWS account (523761210517).

Changes:
- prod.tfvars: domain_name changed to prod-sacc.ccsoft.mx
- provider.tf: removed aws.route53 cross-account provider
- main.tf: removed prod-specific Route 53 resources and data sources;
  cert_validation and main records now use default provider for all envs
- outputs.tf: removed indexed references to main_prod resource
 2026-04-16 10:33:13 -06:00
Evert Daniel Romero Garrido b31323bb49 feat(pipeline): agrega approval gate manual para deploy a PROD - IT-240 
- Agrega paso 06b_notify_approval para notificar por Telegram cuando el pipeline espera aprobación manual
- Configura 07_deploy con deployment: production y trigger: manual
- Actualiza mensaje final de Telegram para indicar que el deploy fue aprobado y completado
 2026-04-15 16:26:40 -06:00
Evert Daniel Romero Garrido f8ee2a218e fix(telegram): corrige escape de caracteres MarkdownV2 usando python3 2026-04-15 16:17:24 -06:00
Evert Daniel Romero Garrido 0c0126f3de feat(pipeline): implementa notificaciones enriquecidas de Telegram para IT-238 
- Crea scripts/telegram-pipeline-notify.sh con detalles de branch, commit, build y autor
- Actualiza bitbucket-pipelines.yml para usar notificaciones locales en todos los ambientes
- Corrige bug donde 01_image-setup referenciaba ci-cd-commons antes de clonarlo
- Usa formato MarkdownV2 para mensajes en Telegram
 2026-04-15 16:07:54 -06:00
Evert Daniel Romero Garrido 3e215f866f docs(oidc): actualiza documentacion con valores reales de configuracion DEV/PROD 2026-04-15 13:51:45 -06:00
Evert Daniel Romero Garrido cbae04ab3f fix(oidc): reemplaza placeholder por UUID real del repo proyectosacc 2026-04-15 12:51:48 -06:00
Evert Daniel Romero Garrido 744c5d1413 feat(iam): implementa autenticación OIDC entre Bitbucket Pipelines y AWS 
- Agrega aws_iam_openid_connect_provider y roles IAM para DEV/PROD
- Actualiza bitbucket-pipelines.yml para usar OIDC en steps 03, 05, 07
- Crea script helper scripts/aws-oidc-setup.sh
- Agrega provider tls en terraform/provider.tf
- Documenta el flujo completo en docs/14-oidc-bitbucket-aws.md

Elimina la dependencia de AWS_ACCESS_KEY_ID y AWS_SECRET_ACCESS_KEY
estáticos en el pipeline, permitiendo autenticación sin credenciales
de larga vida via AssumeRoleWithWebIdentity.

Refs: cuenta DEV 668889063715, PROD 523761210517
 2026-04-15 12:50:31 -06:00
Evert Daniel Romero Garrido bc3ff913cf chore(terraform): actualiza provider AWS a >=5.94.0 para soporte mx-central-1 y configura password RDS dev 2026-04-15 12:43:37 -06:00
Evert Daniel Romero Garrido cbea3e932b feat(ci): integra Terraform en pipeline de Bitbucket Pipelines 
- Agrega paso 03_terraform para DEV y PROD con init, plan y apply
- Crea backend.dev.hcl para configuración explícita de estado DEV
- Refactoriza Route53/ACM en main.tf para soportar PROD cross-account
  usando count condicional sin romper estado de DEV
- Descomenta provider aws.route53 en provider.tf
- Añade domain_name faltante en prod.tfvars y confirma dev.tfvars
- Corrige output route53_record para recursos con count
- Elimina errored.tfstate corrupto local
- Incluye permiso sts:AssumeRole en IAM policy para Route53 cross-account
 2026-04-14 19:40:57 -06:00
Evert Daniel Romero Garrido 3fe8cb1391 chore(ci): fix S3 artifacts bucket references in install step and secure terraform tfvars 
- Use DEV_S3_ARTIFACTS_BUCKET and PROD_S3_ARTIFACTS_BUCKET in 06_install
  instead of generic S3_ARTIFACTS_BUCKET to prevent cross-env reads
- Add terraform/environments/*.tfvars to .gitignore to prevent secret leaks
- Update prod backend state bucket name to proyectosacc-specific bucket
- Add CI/CD credential policy documentation
 2026-04-14 16:01:30 -06:00
Evert Daniel Romero Garrido 2cdeee0b84 chore(ci): update pipeline to use env-prefixed S3 bucket variables 
Aligns bitbucket-pipelines.yml with CCsoft CI/CD convention
<Env>_S3_FRONTEND_BUCKET and <Env>_S3_ARTIFACTS_BUCKET.
Branches already use master/developer.
 2026-04-14 15:31:18 -06:00
Evert Daniel Romero Garrido 85297b12a2 Initial commit: Terraform infrastructure, pipelines, docs and scripts 2026-04-14 14:53:05 -06:00