Skip to content

SSH 22 인바운드 개방: 배포 transport 를 SSH 로 통일#5

Merged
m-a-king merged 1 commit into
mainfrom
infra/open-ssh-ingress
Jul 15, 2026
Merged

SSH 22 인바운드 개방: 배포 transport 를 SSH 로 통일#5
m-a-king merged 1 commit into
mainfrom
infra/open-ssh-ingress

Conversation

@m-a-king

@m-a-king m-a-king commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator

Situation

  • 배포 블록 공통화(TeamPiKi/infra)에서 세 서비스의 유일한 실질 장벽이 transport 차이였다: core 는 러너에서 SSH, extractor·renderer 는 SSM in-box.
  • SSH 단일 transport 로 통일하기로 결정했다. via-ssm 어댑터를 만들 필요가 없어지고, 블록 하나에 scp와 실시간 로그로 세 서비스가 같은 경로를 쓴다.

Action

  • SG 에 22/tcp 인바운드를 추가했다. GH 러너는 고정 IP 가 없어 전역 개방이며, 인증은 키 전용이다.
  • 남는 실질 위험은 sshd 자체 취약점 노출면인데, 이는 core 박스가 이미 수용 중인 것과 같은 등급이다. SSM 채널은 관리·비상 접근용으로 유지한다(IAM 정책 무변경).
  • SSH 공개키 주입(authorized_keys)은 terraform 밖에서 수행한다. 시크릿·키를 state 에 남기지 않는 기존 규율 유지.

Result

  • apply 후 배포 블록화가 SSH 단일 전제로 진행 가능해진다. 실제 SSH 배포 배선은 run_container 블록 작업에서 이어진다.

Summary by CodeRabbit

  • New Features

    • Enabled SSH-based deployment access for the extractor environment.
    • Added inbound SSH connectivity on port 22.
    • Continued using secure parameter storage for retrieving secrets.
  • Documentation

    • Updated access guidance to clarify that SSH public keys are managed through authorized keys.

@m-a-king m-a-king self-assigned this Jul 15, 2026
@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Terraform updates the extractor EC2 access model to support SSH-based deployment, opens inbound TCP port 22, retains SSM Parameter Store for secrets, and documents externally injected SSH public keys.

Changes

Extractor SSH transport

Layer / File(s) Summary
SSH access configuration
infra/extractor/main.tf
IAM and user-data comments now describe SSH deployment with SSM-based secret retrieval, and the extractor security group allows inbound SSH on port 22 from 0.0.0.0/0.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Title clearly summarizes the main change: opening SSH 22 inbound and unifying deployment transport to SSH.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch infra/open-ssh-ingress

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@infra/extractor/main.tf`:
- Around line 122-132: Update the extractor instance security-group SSH ingress
block to remove the global 0.0.0.0/0 access and use the repository’s supported
restricted access path, such as SSM, bastion/VPN, or a self-hosted runner.
Preserve required deployment and operations access without exposing port 22
publicly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d87a99c3-1a76-42d4-a502-01e59bebd8a5

📥 Commits

Reviewing files that changed from the base of the PR and between 4deab75 and b1801ed.

📒 Files selected for processing (1)
  • infra/extractor/main.tf

Comment thread infra/extractor/main.tf
Comment on lines +122 to +132
# SSH 단일 transport 결정(배포 블록 공통화): 배포가 core 와 같은 "러너에서 SSH" 경로로 통일된다.
# GH 러너는 고정 IP 가 없어 전역 개방. 인증은 키 전용(비밀번호 로그인 없음)이라 실질 위험은
# sshd 자체 취약점 노출면이며, 이는 core 박스가 이미 수용 중인 것과 같은 등급이다.
ingress {
description = "SSH for deploy (GitHub Actions runner) and ops"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n -C3 \
  'PasswordAuthentication|KbdInteractiveAuthentication|PermitRootLogin|PubkeyAuthentication|authorized_keys|associate_public_ip_address|public_ip|cidr_blocks' .

Repository: TeamPiKi/extractor

Length of output: 1648


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '110,190p' infra/extractor/main.tf
printf '\n---\n'
rg -n -C2 'PasswordAuthentication|KbdInteractiveAuthentication|PermitRootLogin|authorized_keys|sshd|22' infra

Repository: TeamPiKi/extractor

Length of output: 3990


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Look for any SSH daemon hardening, key provisioning, or alternative access paths.
rg -n -C2 -i 'sshd_config|PasswordAuthentication|KbdInteractiveAuthentication|PermitRootLogin|PubkeyAuthentication|authorized_keys|allowusers|allowgroups|ssm|session manager|bastion|vpn|security group|ssh' infra .github README* .

Repository: TeamPiKi/extractor

Length of output: 19022


Avoid public SSH ingress on the extractor instance. infra/extractor/main.tf:122-130 opens port 22 to 0.0.0.0/0 on a public instance, which leaves sshd exposed to the internet. Key-only auth helps, but this still warrants a narrower access path (SSM, bastion/VPN, or a self-hosted runner) instead of global SSH.

🧰 Tools
🪛 Trivy (0.69.3)

[error] 130-130: Security groups should not allow unrestricted ingress to SSH or RDP from any IP address.

Security group rule allows unrestricted ingress from any IP address.

Rule: AWS-0107

Resource: aws_security_group.extractor

Learn more

(IaC/AWS)


[error] 127-127: A security group rule should not allow unrestricted egress to any IP address.

Security group rule allows unrestricted egress to any IP address.

Rule: AWS-0104

Resource: aws_security_group.extractor

Learn more

(IaC/AWS)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@infra/extractor/main.tf` around lines 122 - 132, Update the extractor
instance security-group SSH ingress block to remove the global 0.0.0.0/0 access
and use the repository’s supported restricted access path, such as SSM,
bastion/VPN, or a self-hosted runner. Preserve required deployment and
operations access without exposing port 22 publicly.

Source: Linters/SAST tools

@m-a-king m-a-king merged commit f55b110 into main Jul 15, 2026
2 checks passed
@m-a-king m-a-king deleted the infra/open-ssh-ingress branch July 15, 2026 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant