labadmin/proyectosacc-mirror
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
41 Commits 1 Branch 0 Tags
7e0c764f3f3e1d3d969e4fbcd5cc78acbbcbf7f7
Commit Graph

6 Commits

Author SHA1 Message Date
Evert Daniel Romero Garrido dd2f31ec2a fix(pipeline): corregir OIDC token handling y backend region validation 
- Escribe BITBUCKET_STEP_OIDC_TOKEN a archivo temporal para evitar
  OSError: File name too long en el decoder JWT
- Python lee token via stdin en lugar de pasar JWT como filename
- Agrega skip_region_validation = true en backend.dev.hcl y backend.prod.hcl
  para compatibilidad con mx-central-1
 2026-04-16 13:37:36 -06:00
Evert Daniel Romero Garrido 40552bb5c7 fix: corregir lectura del token OIDC en aws-oidc-setup.sh 2026-04-16 12:12:36 -06:00
Evert Daniel Romero Garrido 4791fdcae6 debug(oidc): print decoded JWT payload to diagnose audience mismatch 2026-04-16 11:58:19 -06:00
Evert Daniel Romero Garrido 18b436e582 fix(oidc): install AWS CLI v2 inside aws-oidc-setup.sh if missing 2026-04-16 11:42:54 -06:00
Evert Daniel Romero Garrido ec40b94795 fix(oidc): explicit STS assume-role for Terraform S3 backend compatibility 
The previous script only exported AWS_WEB_IDENTITY_TOKEN_FILE and
AWS_ROLE_ARN, expecting AWS CLI/Terraform to pick them up automatically.
However, Terraform's S3 backend does not use these variables implicitly.

Now we explicitly call 'aws sts assume-role-with-web-identity',
parse the JSON response, and export the temporary credentials:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_SESSION_TOKEN

Also exports AWS_REGION for Terraform S3 backend compatibility.

Fixes pipeline failure in step 03_terraform with:
InvalidIdentityToken: Incorrect token audience
 2026-04-16 11:20:59 -06:00
Evert Daniel Romero Garrido 744c5d1413 feat(iam): implementa autenticación OIDC entre Bitbucket Pipelines y AWS 
- Agrega aws_iam_openid_connect_provider y roles IAM para DEV/PROD
- Actualiza bitbucket-pipelines.yml para usar OIDC en steps 03, 05, 07
- Crea script helper scripts/aws-oidc-setup.sh
- Agrega provider tls en terraform/provider.tf
- Documenta el flujo completo en docs/14-oidc-bitbucket-aws.md

Elimina la dependencia de AWS_ACCESS_KEY_ID y AWS_SECRET_ACCESS_KEY
estáticos en el pipeline, permitiendo autenticación sin credenciales
de larga vida via AssumeRoleWithWebIdentity.

Refs: cuenta DEV 668889063715, PROD 523761210517
 2026-04-15 12:50:31 -06:00