Merge branch 'main' into develop

Author: Neiland85

.dockerignore

@@ -0,0 +1,173 @@
+# Workflow alternativo para casos de emergencia o testing
+name: CI/CD Pipeline - Fixed
+
+on:
+  workflow_dispatch:
+    inputs:
+      skip_tests:
+        description: '¿Saltar tests? (solo para emergencias)'
+        required: true
+        default: 'false'
+        type: choice
+        options:
+        - 'true'
+        - 'false'
+      force_deploy:
+        description: '¿Forzar deployment?'
+        required: true
+        default: 'false'
+        type: choice
+        options:
+        - 'true'
+        - 'false'
+
+# Permisos necesarios para AWS OIDC
+permissions:
+  id-token: write   # Para AWS OIDC authentication
+  contents: read    # Para hacer checkout del código
+
+env:
+  AWS_REGION: eu-west-1
+  ECR_REPOSITORY: neurobank-fastapi
+  AWS_ACCOUNT_ID: 120242956739
+  AWS_ROLE_ARN: arn:aws:iam::120242956739:role/GitHubActionsOIDCRole
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    if: github.event.inputs.skip_tests != 'true'
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.11'
+    
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+    
+    - name: Run tests with coverage
+      run: |
+        python -m pytest --cov=app --cov-report=xml --cov-report=html
+    
+    - name: Upload coverage reports
+      uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: coverage-reports
+        path: |
+          coverage.xml
+          htmlcov/
+
+  security:
+    runs-on: ubuntu-latest
+    if: github.event.inputs.skip_tests != 'true'
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.11'
+    
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+        pip install bandit safety
+    
+    - name: Run Bandit security scan
+      run: |
+        bandit -r app/ -f json -o bandit-report.json --skip B101 || true
+    
+    - name: Run Safety vulnerability scan
+      run: |
+        pip freeze > current-requirements.txt
+        safety scan --json --output safety-report.json --continue-on-error || true
+    
+    - name: Upload security reports
+      uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: security-reports-fixed
+        path: |
+          bandit-report.json
+          safety-report.json
+
+  build-and-deploy:
+    needs: [test, security]
+    runs-on: ubuntu-latest
+    if: |
+      always() && 
+      github.event.inputs.force_deploy == 'true' &&
+      (github.event.inputs.skip_tests == 'true' || 
+       (needs.test.result == 'success' && needs.security.result == 'success'))
+    
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    
+    - name: Emergency deployment warning
+      if: github.event.inputs.skip_tests == 'true'
+      run: |
+        echo "⚠️  WARNING: EMERGENCY DEPLOYMENT MODE"
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo "🚨 Tests have been SKIPPED!"
+        echo "🚨 This should only be used in emergency situations!"
+        echo "🚨 Make sure to run full testing after deployment!"
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.11'
+    
+    - name: Configure AWS credentials via OIDC
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.AWS_ROLE_ARN }}
+        aws-region: ${{ env.AWS_REGION }}
+        role-session-name: GitHubActions-Fixed-${{ github.run_id }}
+    
+    - name: Verify AWS connection
+      run: |
+        echo "🔍 Verifying AWS OIDC connection..."
+        aws sts get-caller-identity
+        echo "✅ AWS connection verified!"
+    
+    - name: Setup SAM CLI
+      uses: aws-actions/setup-sam@v2
+      with:
+        use-installer: true
+    
+    - name: Create ECR repository if not exists
+      run: |
+        aws ecr describe-repositories --repository-names ${{ env.ECR_REPOSITORY }} --region ${{ env.AWS_REGION }} || \
+        aws ecr create-repository --repository-name ${{ env.ECR_REPOSITORY }} --region ${{ env.AWS_REGION }}
+    
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+    
+    - name: Build and push Docker image
+      env:
+        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        IMAGE_TAG: fixed-${{ github.sha }}
+      run: |
+        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
+        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+        docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:latest
+        docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
+    
+    - name: Deploy to AWS Lambda
+      run: |
+        sam build --region ${{ env.AWS_REGION }}
+        sam deploy --no-confirm-changeset --no-fail-on-empty-changeset \
+          --stack-name neurobank-api-fixed \
+          --capabilities CAPABILITY_IAM \
+          --region ${{ env.AWS_REGION }} \
+          --parameter-overrides ApiKey=${{ secrets.API_KEY || 'emergency-deploy-key' }}
+        echo "🎉 Emergency deployment completed!"

.github/workflows/ci-cd-fixed.yml

@@ -5,10 +5,36 @@ on:
     branches: [ main, develop ]
   pull_request:
     branches: [ main ]
+  # Deployment solo cuando el usuario lo solicite manualmente
+  workflow_dispatch:
+    inputs:
+      deploy_to_aws:
+        description: '¿Desplegar a AWS?'
+        required: true
+        default: 'false'
+        type: choice
+        options:
+        - 'true'
+        - 'false'
+      environment:
+        description: 'Entorno de deployment'
+        required: true
+        default: 'staging'
+        type: choice
+        options:
+        - 'staging'
+        - 'production'
+
+# Permisos necesarios para AWS OIDC
+permissions:
+  id-token: write   # Para AWS OIDC authentication
+  contents: read    # Para hacer checkout del código
 
 env:
   AWS_REGION: eu-west-1
   ECR_REPOSITORY: neurobank-fastapi
+  AWS_ACCOUNT_ID: 120242956739
+  AWS_ROLE_ARN: arn:aws:iam::120242956739:role/GitHubActionsOIDCRole
 
 jobs:
   test:
@@ -83,44 +109,54 @@ jobs:
     - name: Check deployment readiness
       run: |
         echo "🔍 Checking deployment readiness..."
-        if [ -z "${{ secrets.AWS_ACCESS_KEY_ID }}" ] || [ -z "${{ secrets.AWS_SECRET_ACCESS_KEY }}" ]; then
+        if [ -z "${{ secrets.AWS_ACCOUNT_ID }}" ]; then
           echo ""
-          echo "⚠️  AWS CREDENTIALS NOT CONFIGURED"
+          echo "⚠️  AWS OIDC NOT CONFIGURED"
           echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
           echo "To enable automatic deployment, please configure:"
           echo ""
           echo "1. Go to: https://github.com/${{ github.repository }}/settings/secrets/actions"
-          echo "2. Add these Repository Secrets:"
-          echo "   • AWS_ACCESS_KEY_ID"
-          echo "   • AWS_SECRET_ACCESS_KEY" 
-          echo "   • API_KEY (for your application)"
+          echo "2. Add this Repository Secret:"
+          echo "   • AWS_ACCOUNT_ID (your 12-digit AWS account number)"
+          echo "   • API_KEY (for your application - optional)"
+          echo ""
+          echo "3. Ensure AWS OIDC role exists:"
+          echo "   • Role name: GitHubActionsOIDCRole"
+          echo "   • Trust policy allows: ${{ github.repository }}"
           echo ""
-          echo "3. Also create an ECR repository named: ${{ env.ECR_REPOSITORY }}"
+          echo "4. Also create an ECR repository named: ${{ env.ECR_REPOSITORY }}"
           echo ""
           echo "✅ Tests and Security scans completed successfully!"
-          echo "🚀 Deployment will run automatically once credentials are configured"
+          echo "🚀 Deployment will run automatically once OIDC is configured"
           echo ""
         else
-          echo "✅ AWS credentials are configured - deployment will proceed"
+          echo "✅ AWS OIDC is configured - deployment will proceed"
           echo "🚀 Ready for production deployment to AWS Lambda!"
           echo "📍 Region: ${{ env.AWS_REGION }}"
           echo "📦 ECR Repository: ${{ env.ECR_REPOSITORY }}"
+          echo "🔐 AWS Role: ${{ env.AWS_ROLE_ARN }}"
+          echo "🏗️  Using secure OIDC authentication (no long-term keys) ✨"
         fi
 
   build-and-deploy:
     needs: [test, security]
     runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
+    # Solo deployar cuando el usuario lo active manualmente con workflow_dispatch
+    if: |
+      (github.event_name == 'workflow_dispatch' && 
+       github.event.inputs.deploy_to_aws == 'true' && 
+       github.ref == 'refs/heads/main')
     
     steps:
     - name: Checkout
       uses: actions/checkout@v4
 
-    - name: Verify deployment prerequisites
+    - name: Verify OIDC prerequisites
       run: |
-        echo "🚀 Starting deployment process..."
+        echo "🚀 Starting OIDC-secured deployment process..."
         echo "📍 AWS Region: ${{ env.AWS_REGION }}"
         echo "📦 ECR Repository: ${{ env.ECR_REPOSITORY }}"
+        develop
         echo "🔑 Checking AWS Credentials..."
         
         # Verify secrets are available (without exposing them)
@@ -136,25 +172,47 @@ jobs:
           exit 1
         else
           echo "✅ AWS_SECRET_ACCESS_KEY is available"
+
+        echo "� AWS Role ARN: ${{ env.AWS_ROLE_ARN }}"
+        echo "🏗️  Using secure OIDC authentication ✨"
+        
+        # Verify AWS Account ID is available
+        if [ -z "${{ secrets.AWS_ACCOUNT_ID }}" ]; then
+          echo "❌ AWS_ACCOUNT_ID secret is missing"
+          echo "💡 Add it in: https://github.com/${{ github.repository }}/settings/secrets/actions"
+          exit 1
+        else
+          echo "✅ AWS_ACCOUNT_ID is configured"
+        main
         fi
         
         if [ -z "${{ secrets.API_KEY }}" ]; then
           echo "⚠️  API_KEY is missing - using default"
         else
+        develop
           echo "✅ API_KEY is available"
+
+          echo "✅ API_KEY is configured"
+        main
         fi
     
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
         python-version: '3.11'
 
-    - name: Configure AWS credentials
+    - name: Configure AWS credentials via OIDC
       uses: aws-actions/configure-aws-credentials@v4
       with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        role-to-assume: ${{ env.AWS_ROLE_ARN }}
         aws-region: ${{ env.AWS_REGION }}
+        role-session-name: GitHubActions-${{ github.run_id }}
+    
+    - name: Debug AWS identity
+      run: |
+        echo "🧪 Testing AWS OIDC connection..."
+        aws sts get-caller-identity
+        echo "✅ AWS OIDC connection successful!"
     
     - name: Test AWS connection
       run: |
@@ -201,3 +259,9 @@ jobs:
           --region ${{ env.AWS_REGION }} \
           --parameter-overrides ApiKey=${{ secrets.API_KEY || 'default-api-key' }}
         echo "🎉 Deployment completed successfully!"
+        develop
+
+        echo "📋 Stack: neurobank-api"
+        echo "📍 Region: ${{ env.AWS_REGION }}"
+        echo "🔗 Check AWS Lambda console for endpoint URL"
+         main