Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions infra/extractor/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ data "aws_ami" "ubuntu" {
}
}

# --- IAM: SSM(관리 접근, SSH inbound 0) + 시크릿을 SSM Param 에서 읽기 ---
# --- IAM: SSM(관리·비상 접근) + 시크릿을 SSM Param 에서 읽기. 배포는 SSH(단일 transport)로 통일 ---
resource "aws_iam_role" "extractor" {
name = var.name_prefix
assume_role_policy = jsonencode({
Expand Down Expand Up @@ -119,6 +119,17 @@ resource "aws_security_group" "extractor" {
security_groups = [data.aws_security_group.app.id] # IP 대신 SG 참조 = '우리 서버만'
}

# SSH 단일 transport 결정(배포 블록 공통화): 배포가 core 와 같은 "러너에서 SSH" 경로로 통일된다.
# GH 러너는 고정 IP 가 없어 전역 개방. 인증은 키 전용(비밀번호 로그인 없음)이라 실질 위험은
# sshd 자체 취약점 노출면이며, 이는 core 박스가 이미 수용 중인 것과 같은 등급이다.
ingress {
description = "SSH for deploy (GitHub Actions runner) and ops"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

Comment on lines +122 to +132

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n -C3 \
  'PasswordAuthentication|KbdInteractiveAuthentication|PermitRootLogin|PubkeyAuthentication|authorized_keys|associate_public_ip_address|public_ip|cidr_blocks' .

Repository: TeamPiKi/extractor

Length of output: 1648


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '110,190p' infra/extractor/main.tf
printf '\n---\n'
rg -n -C2 'PasswordAuthentication|KbdInteractiveAuthentication|PermitRootLogin|authorized_keys|sshd|22' infra

Repository: TeamPiKi/extractor

Length of output: 3990


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Look for any SSH daemon hardening, key provisioning, or alternative access paths.
rg -n -C2 -i 'sshd_config|PasswordAuthentication|KbdInteractiveAuthentication|PermitRootLogin|PubkeyAuthentication|authorized_keys|allowusers|allowgroups|ssm|session manager|bastion|vpn|security group|ssh' infra .github README* .

Repository: TeamPiKi/extractor

Length of output: 19022


Avoid public SSH ingress on the extractor instance. infra/extractor/main.tf:122-130 opens port 22 to 0.0.0.0/0 on a public instance, which leaves sshd exposed to the internet. Key-only auth helps, but this still warrants a narrower access path (SSM, bastion/VPN, or a self-hosted runner) instead of global SSH.

🧰 Tools
🪛 Trivy (0.69.3)

[error] 130-130: Security groups should not allow unrestricted ingress to SSH or RDP from any IP address.

Security group rule allows unrestricted ingress from any IP address.

Rule: AWS-0107

Resource: aws_security_group.extractor

Learn more

(IaC/AWS)


[error] 127-127: A security group rule should not allow unrestricted egress to any IP address.

Security group rule allows unrestricted egress to any IP address.

Rule: AWS-0104

Resource: aws_security_group.extractor

Learn more

(IaC/AWS)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@infra/extractor/main.tf` around lines 122 - 132, Update the extractor
instance security-group SSH ingress block to remove the global 0.0.0.0/0 access
and use the repository’s supported restricted access path, such as SSM,
bastion/VPN, or a self-hosted runner. Preserve required deployment and
operations access without exposing port 22 publicly.

Source: Linters/SAST tools

egress {
description = "all outbound (arbitrary product links + Gemini API + headless render)"
from_port = 0
Expand Down Expand Up @@ -155,7 +166,7 @@ resource "aws_instance" "extractor" {
}

# 얇은 베이스: Docker 만 설치(arm64). 추출 서비스 컨테이너는 terraform 이 안 건드리고
# 앱 배포 레이어가 올린다(→ JVM/앱 버전이 바뀌어도 이 terraform 무변경). SSH 키 없음 — 관리는 SSM 으로.
# 앱 배포 레이어가 올린다(→ JVM/앱 버전이 바뀌어도 이 terraform 무변경). SSH 공개키는 terraform 밖에서 주입(authorized_keys).
user_data = <<-EOF
#!/usr/bin/env bash
set -euxo pipefail
Expand Down
Loading