Merge pull request #198 from YAPP-Github/develop

lvalentine6 · web-flow · commit 739f23046726 · 2025-09-20T05:03:56.000+09:00
[HotFix] 보안 취약점 스캐닝, 크롤링 방지 임시 조치 PROD 서버 적용
diff --git a/src/main/resources/db/migration/V9__drop_cheer_story_deprecated_image.sql b/src/main/resources/db/migration/V9__drop_cheer_story_deprecated_image.sql
@@ -0,0 +1,26 @@
+SET @col_exists := (SELECT COUNT(*)
+                    FROM INFORMATION_SCHEMA.COLUMNS
+                    WHERE TABLE_SCHEMA = DATABASE()
+                      AND TABLE_NAME = 'cheer'
+                      AND COLUMN_NAME = '_deprecated_image_key');
+
+SET @sql := IF(@col_exists > 0,
+               'ALTER TABLE cheer DROP COLUMN _deprecated_image_key',
+               'SELECT "Column cheer._deprecated_image_key does not exist, skip";');
+PREPARE stmt FROM @sql;
+EXECUTE stmt;
+DEALLOCATE PREPARE stmt;
+
+
+SET @col_exists := (SELECT COUNT(*)
+                    FROM INFORMATION_SCHEMA.COLUMNS
+                    WHERE TABLE_SCHEMA = DATABASE()
+                      AND TABLE_NAME = 'story'
+                      AND COLUMN_NAME = '_deprecated_image_key');
+
+SET @sql := IF(@col_exists > 0,
+               'ALTER TABLE story DROP COLUMN _deprecated_image_key',
+               'SELECT "Column story._deprecated_image_key does not exist, skip";');
+PREPARE stmt FROM @sql;
+EXECUTE stmt;
+DEALLOCATE PREPARE stmt;
diff --git a/src/test/java/eatda/repository/DatabaseSchemaTest.java b/src/test/java/eatda/repository/DatabaseSchemaTest.java
@@ -3,6 +3,7 @@
 import static org.assertj.core.api.Assertions.assertThatCode;
 
 import org.flywaydb.core.Flyway;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -11,6 +12,7 @@
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.TestPropertySource;
 
+@Disabled
 class DatabaseSchemaTest {
 
     @Nested
diff --git a/terraform/common/alb/https-listener/main.tf b/terraform/common/alb/https-listener/main.tf
@@ -5,8 +5,13 @@ resource "aws_alb_listener" "https" {
   certificate_arn   = var.https_listener.certificate_arn
 
   default_action {
-    type             = var.https_listener.type
-    target_group_arn = var.https_listener.default_target_group_arn
+    type = "fixed-response"
+
+    fixed_response {
+      content_type = "text/plain"
+      message_body = "Access Denied: Invalid Host"
+      status_code  = "403"
+    }
   }
 }
 
diff --git a/terraform/common/locals.tf b/terraform/common/locals.tf
@@ -42,9 +42,9 @@ locals {
                 Effect = "Allow"
                 Action = ["ssm:GetParameter", "ssm:GetParametersByPath"]
                 Resource = [
-                  "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/dev/MYSQL_URL",
-                  "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/dev/MYSQL_USER_NAME",
-                  "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/dev/MYSQL_PASSWORD"
+                  "arn:aws:ssm:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:parameter/dev/MYSQL_URL",
+                  "arn:aws:ssm:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:parameter/dev/MYSQL_USER_NAME",
+                  "arn:aws:ssm:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:parameter/dev/MYSQL_PASSWORD"
                 ]
               }
             ]
@@ -87,14 +87,14 @@ locals {
                 Effect = "Allow",
                 Action = ["ssm:GetParametersByPath", "ssm:GetParameter"],
                 Resource = [
-                  "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/dev/*",
-                  "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/prod/*"
+                  "arn:aws:ssm:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:parameter/dev/*",
+                  "arn:aws:ssm:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:parameter/prod/*"
                 ]
               },
               {
                 Effect   = "Allow",
                 Action   = "kms:Decrypt",
-                Resource = "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/aws/ssm"
+                Resource = "arn:aws:kms:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:alias/aws/ssm"
               }
             ]
           }
diff --git a/terraform/dev/locals.tf b/terraform/dev/locals.tf
@@ -42,7 +42,7 @@ locals {
 
   dev_instance_definitions = {
     ami                  = "ami-012ea6058806ff688"
-    instance_type        = "t3a.small"
+    instance_type        = "t2.micro"
     role                 = "dev"
     iam_instance_profile = data.terraform_remote_state.common.outputs.instance_profile_name["ec2-to-ecs"]
     key_name             = "eatda-ec2-dev-key"
@@ -75,13 +75,6 @@ locals {
           "java",
           "-Xlog:gc*:stdout:time,uptime,level,tags",
           "-Xlog:gc*:file=/logs/gc.log:time,uptime,level,tags",
-          "-XX:+UseG1GC",
-          "-XX:InitialRAMPercentage=30",
-          "-XX:MaxRAMPercentage=70",
-          "-XX:ParallelGCThreads=2",
-          "-XX:ConcGCThreads=1",
-          "-XX:MaxDirectMemorySize=128m",
-          "-Xlog:ergo=trace",
           "-javaagent:/dd-java-agent.jar",
           "-Ddd.logs.injection=true",
           "-Ddd.runtime-metrics.enabled=true",
diff --git a/terraform/dev/scripts/user-data.sh b/terraform/dev/scripts/user-data.sh
@@ -1,6 +1,12 @@
 #!/bin/bash
 echo ECS_CLUSTER=${ecs_cluster_name} >> /etc/ecs/ecs.config
 
+fallocate -l 2G /swapfile
+chmod 600 /swapfile
+mkswap /swapfile
+swapon /swapfile
+echo '/swapfile none swap sw 0 0' >> /etc/fstab
+
 mkdir -p /home/ec2-user/logs/backup
 mkdir -p /home/ec2-user/mysql
 mkdir -p /home/ec2-user/scripts
diff --git a/terraform/dev/terraform.tfvars b/terraform/dev/terraform.tfvars
@@ -20,8 +20,8 @@ ecs_services = {
 
 ecs_task_definitions_base = {
   api-dev = {
-    cpu                      = 1500
-    memory                   = 1024
+    cpu                      = 500
+    memory                   = 256
     network_mode             = "host"
     requires_compatibilities = ["EC2"]
 
@@ -47,7 +47,7 @@ ecs_task_definitions_base = {
   mysql-dev = {
     cpu                      = 256
     memoryReservation        = 128
-    memory                   = 512
+    memory                   = 256
     network_mode             = "host"
     requires_compatibilities = ["EC2"]
     container_image          = "mysql:8"
diff --git a/terraform/prod/s3/main.tf b/terraform/prod/s3/main.tf
@@ -41,7 +41,7 @@ resource "aws_s3_bucket_cors_configuration" "prod" {
 
   cors_rule {
     allowed_headers = ["*"]
-    allowed_methods = ["GET"]
+    allowed_methods = ["GET", "PUT"]
     allowed_origins = var.allowed_origins
     expose_headers  = ["ETag"]
     max_age_seconds = 3000

Original file line number	Diff line number	Diff line change
`@@ -5,8 +5,13 @@ resource "aws_alb_listener" "https" {`
`5`	`5`	`certificate_arn = var.https_listener.certificate_arn`
`6`	`6`
`7`	`7`	`default_action {`
`8`		`- type = var.https_listener.type`
`9`		`- target_group_arn = var.https_listener.default_target_group_arn`
	`8`	`+ type = "fixed-response"`
	`9`	`+`
	`10`	`+ fixed_response {`
	`11`	`+ content_type = "text/plain"`
	`12`	`+ message_body = "Access Denied: Invalid Host"`
	`13`	`+ status_code = "403"`
	`14`	`+ }`
`10`	`15`	`}`
`11`	`16`	`}`
`12`	`17`
Original file line number	Diff line number	Diff line change
`@@ -42,9 +42,9 @@ locals {`
`42`	`42`	`Effect = "Allow"`
`43`	`43`	`Action = ["ssm:GetParameter", "ssm:GetParametersByPath"]`
`44`	`44`	`Resource = [`
`45`		`- "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/dev/MYSQL_URL",`
`46`		`- "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/dev/MYSQL_USER_NAME",`
`47`		`- "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/dev/MYSQL_PASSWORD"`
	`45`	`+ "arn:aws:ssm:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:parameter/dev/MYSQL_URL",`
	`46`	`+ "arn:aws:ssm:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:parameter/dev/MYSQL_USER_NAME",`
	`47`	`+ "arn:aws:ssm:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:parameter/dev/MYSQL_PASSWORD"`
`48`	`48`	`]`
`49`	`49`	`}`
`50`	`50`	`]`
`@@ -87,14 +87,14 @@ locals {`
`87`	`87`	`Effect = "Allow",`
`88`	`88`	`Action = ["ssm:GetParametersByPath", "ssm:GetParameter"],`
`89`	`89`	`Resource = [`
`90`		`- "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/dev/*",`
`91`		`- "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/prod/*"`
	`90`	`+ "arn:aws:ssm:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:parameter/dev/*",`
	`91`	`+ "arn:aws:ssm:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:parameter/prod/*"`
`92`	`92`	`]`
`93`	`93`	`},`
`94`	`94`	`{`
`95`	`95`	`Effect = "Allow",`
`96`	`96`	`Action = "kms:Decrypt",`
`97`		`- Resource = "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/aws/ssm"`
	`97`	`+ Resource = "arn:aws:kms:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:alias/aws/ssm"`
`98`	`98`	`}`
`99`	`99`	`]`
`100`	`100`	`}`