You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CVE Suppression: Are there any CVEs present in the codebase (either newly introduced or pre-existing) that are being intentionally suppressed or ignored by this commit?
Yes
No
Checklist
commit messages are meaningful and follow good commit message guidelines
README and other documentation has been updated / added (if needed)
tests have been updated / new tests has been added (if needed)
Consistency in Naming Conventions: Ensure that the naming pattern for keys and values in tfvars files is consistent. For example, some custom domains contain "ccd" while others don't (return-case-doc.ccd vs return-case-doc-ccd). If this is intentional, document why this inconsistency exists.
Key Sorting: For readability and ease of maintenance, consider sorting the attributes alphabetically within each block. This reduces cognitive load when finding keys.
Security
Mode Change Impact: The change from Detection to Prevention can have significant implications in production and non-production environments. Ensure the deployment is tested rigorously to avoid unintended service disruptions. Consider adding a comment or documentation to highlight why Prevention is necessary.
Environment-Specific Backend Domains: Ensure the backend domains specified are correctly scoped and tested for every environment (firewall-nonprodi-palo-cftithc in ITHC, firewall-prod-int-palo-cftprod in prod, etc.). Any misconfiguration could lead to traffic misdirection or service breaks.
Best Practice
Modularization: If the frontend configurations are repetitive apart from some specific values (like dns_zone_name, backend_domain), consider modularizing them to improve maintainability. For example:
hcl
frontend_template = {
mode = "Prevention"
custom_domain = var.custom_domain
dns_zone_name = var.dns_zone_name
backend_domain = var.backend_domain
}
Then, pass specific values via variables.
Comments: Add comments describing the context or impact of the mode change. For instance, why is Prevention mode necessary now? This adds clarity for future maintenance.
Validation: If Terraform supports validation rules in your codebase (via variables blocks), consider adding constraints to validate mode values to only allow valid strings (Detection or Prevention) to reduce future errors.
Cost and Carbon Usage
Backend Domain Usage: Review the backend domain(s) for cost efficiency in Azure. If the resources backing these domains (e.g., Palo Alto firewalls) are over-provisioned for any environment (especially non-prod), consider optimizing the infrastructure for cost and sustainability.
Terraform Plan Audit: The Prevention mode in production may introduce additional operational complexity for the firewall (e.g., inspecting all traffic, blocking malicious requests). Ensure this mode doesn’t lead to unexpected cost spikes due to scaling or resource allocation on Azure.
Suggestions Summary
Ensure naming conventions are consistent, or document deviations.
Sort keys alphabetically to enhance readability.
Test thoroughly before enabling Prevention mode.
Modularize repetitive configurations for maintainability.
Add validation rules and comments for clarity.
Audit infrastructure provisioning costs tied to backend domains.
These improvements help maintain quality, comprehensibility, security, and sustainability.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
kiran-yenigala-hmcts
requested review from
cpareek,
kenwan-cpp and
varun-vijayagopal
Jira link
See PROJ-XXXXXX
Change description
Testing done
Security Vulnerability Assessment
CVE Suppression: Are there any CVEs present in the codebase (either newly introduced or pre-existing) that are being intentionally suppressed or ignored by this commit?
Checklist
Link to Terraform Plan
https://tfplan-viewer.hmcts.net/azure-platform-terraform/2633
🤖AEP PR SUMMARY🤖
ithc.tfvars:prod.tfvars:stg.tfvars:test.tfvars: