Security & Operations Improvements:
- Add step 06_update_ssh_keys to rotate authorized_keys on EC2
before each deployment, ensuring only current pipeline can access
- Add step 09_health_check with retry logic (12 retries, 10s interval)
verifying API backend (/actuator/health), CloudFront, and RDS
- Add manual approval (trigger: manual) for production deployment
with terraform plan saved as artifact (prod.tfplan)
- Document terraform auto-approve policy: dev automatic, prod manual
- Use DEV_DB_HOST and PROD_DB_HOST variables for RDS connectivity checks
- Reorder steps: 7 steps → 9 steps standard CCsoft pipeline
Closes pipeline security gaps and adds post-deploy verification.
Switch PROD DNS from cross-account Route 53 management to a delegated
subdomain in the PROD AWS account (523761210517).
Changes:
- prod.tfvars: domain_name changed to prod-sacc.ccsoft.mx
- provider.tf: removed aws.route53 cross-account provider
- main.tf: removed prod-specific Route 53 resources and data sources;
cert_validation and main records now use default provider for all envs
- outputs.tf: removed indexed references to main_prod resource
- Agrega paso 03_terraform para DEV y PROD con init, plan y apply
- Crea backend.dev.hcl para configuración explícita de estado DEV
- Refactoriza Route53/ACM en main.tf para soportar PROD cross-account
usando count condicional sin romper estado de DEV
- Descomenta provider aws.route53 en provider.tf
- Añade domain_name faltante en prod.tfvars y confirma dev.tfvars
- Corrige output route53_record para recursos con count
- Elimina errored.tfstate corrupto local
- Incluye permiso sts:AssumeRole en IAM policy para Route53 cross-account
Evert Daniel Romero Garrido
Evert Romero
Evert Daniel Romero Garrido