SSH 22 인바운드 개방: 배포 transport 를 SSH 로 통일#5
Conversation
📝 WalkthroughWalkthroughTerraform updates the extractor EC2 access model to support SSH-based deployment, opens inbound TCP port 22, retains SSM Parameter Store for secrets, and documents externally injected SSH public keys. ChangesExtractor SSH transport
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@infra/extractor/main.tf`:
- Around line 122-132: Update the extractor instance security-group SSH ingress
block to remove the global 0.0.0.0/0 access and use the repository’s supported
restricted access path, such as SSM, bastion/VPN, or a self-hosted runner.
Preserve required deployment and operations access without exposing port 22
publicly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: d87a99c3-1a76-42d4-a502-01e59bebd8a5
📒 Files selected for processing (1)
infra/extractor/main.tf
| # SSH 단일 transport 결정(배포 블록 공통화): 배포가 core 와 같은 "러너에서 SSH" 경로로 통일된다. | ||
| # GH 러너는 고정 IP 가 없어 전역 개방. 인증은 키 전용(비밀번호 로그인 없음)이라 실질 위험은 | ||
| # sshd 자체 취약점 노출면이며, 이는 core 박스가 이미 수용 중인 것과 같은 등급이다. | ||
| ingress { | ||
| description = "SSH for deploy (GitHub Actions runner) and ops" | ||
| from_port = 22 | ||
| to_port = 22 | ||
| protocol = "tcp" | ||
| cidr_blocks = ["0.0.0.0/0"] | ||
| } | ||
|
|
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n -C3 \
'PasswordAuthentication|KbdInteractiveAuthentication|PermitRootLogin|PubkeyAuthentication|authorized_keys|associate_public_ip_address|public_ip|cidr_blocks' .Repository: TeamPiKi/extractor
Length of output: 1648
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '110,190p' infra/extractor/main.tf
printf '\n---\n'
rg -n -C2 'PasswordAuthentication|KbdInteractiveAuthentication|PermitRootLogin|authorized_keys|sshd|22' infraRepository: TeamPiKi/extractor
Length of output: 3990
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Look for any SSH daemon hardening, key provisioning, or alternative access paths.
rg -n -C2 -i 'sshd_config|PasswordAuthentication|KbdInteractiveAuthentication|PermitRootLogin|PubkeyAuthentication|authorized_keys|allowusers|allowgroups|ssm|session manager|bastion|vpn|security group|ssh' infra .github README* .Repository: TeamPiKi/extractor
Length of output: 19022
Avoid public SSH ingress on the extractor instance. infra/extractor/main.tf:122-130 opens port 22 to 0.0.0.0/0 on a public instance, which leaves sshd exposed to the internet. Key-only auth helps, but this still warrants a narrower access path (SSM, bastion/VPN, or a self-hosted runner) instead of global SSH.
🧰 Tools
🪛 Trivy (0.69.3)
[error] 130-130: Security groups should not allow unrestricted ingress to SSH or RDP from any IP address.
Security group rule allows unrestricted ingress from any IP address.
Rule: AWS-0107
Resource: aws_security_group.extractor
(IaC/AWS)
[error] 127-127: A security group rule should not allow unrestricted egress to any IP address.
Security group rule allows unrestricted egress to any IP address.
Rule: AWS-0104
Resource: aws_security_group.extractor
(IaC/AWS)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@infra/extractor/main.tf` around lines 122 - 132, Update the extractor
instance security-group SSH ingress block to remove the global 0.0.0.0/0 access
and use the repository’s supported restricted access path, such as SSM,
bastion/VPN, or a self-hosted runner. Preserve required deployment and
operations access without exposing port 22 publicly.
Source: Linters/SAST tools
Situation
Action
Result
Summary by CodeRabbit
New Features
Documentation