Skip to content

enable SSL in plum-tlse2e#2688

Open
charlesluokb wants to merge 1 commit intomasterfrom
dtspo-27952-enable-ssl-plum-tlse2e
Open

enable SSL in plum-tlse2e#2688
charlesluokb wants to merge 1 commit intomasterfrom
dtspo-27952-enable-ssl-plum-tlse2e

Conversation

@charlesluokb
Copy link
Copy Markdown
Contributor

@charlesluokb charlesluokb commented Dec 3, 2025
edited by hmcts-platform-operations
Loading

Jira link

See dtspo-27952

Change description

feat(ssl): enable SSL in plum-tlse2e

Testing done

Security Vulnerability Assessment

CVE Suppression: Are there any CVEs present in the codebase (either newly introduced or pre-existing) that are being intentionally suppressed or ignored by this commit?

  • Yes
  • No

Checklist

  • commit messages are meaningful and follow good commit message guidelines
  • README and other documentation has been updated / added (if needed)
  • tests have been updated / new tests has been added (if needed)
  • Does this PR introduce a breaking change

Link to Terraform Plan

https://tfplan-viewer.hmcts.net/azure-platform-terraform/2688

🤖AEP PR SUMMARY🤖

Summary of changes:

  • environments/sbox/backend_lb_config.yaml
    🔐 Enabled SSL and added HTTP to HTTPS redirection for the plum-tlse2e frontend gateway.

  • environments/sbox/sbox.tfvars
    🔐 Enabled SSL for the wildcard-sandbox-platform-hmcts-net frontend configuration.

@charlesluokb charlesluokb requested a review from Copilot December 3, 2025 12:43
Copilot AI reviewed Dec 3, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enables SSL/HTTPS support for the plum-tlse2e application in the sandbox environment by configuring SSL settings in both the frontend and backend load balancer configurations.

  • Enabled SSL for plum-tlse2e frontend with certificate configuration
  • Added HTTP-to-HTTPS redirect for plum-tlse2e backend load balancer

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
environments/sbox/sbox.tfvars Enabled SSL for plum-tlse2e frontend configuration
environments/sbox/backend_lb_config.yaml Added SSL enablement and HTTP-to-HTTPS redirect for plum-tlse2e backend

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Dec 3, 2025

Suggestions for Improvement

1. Validation for ssl_enabled and http_to_https_redirect Flags in backend_lb_config.yaml

  • Ensure there is validation logic in place for the new ssl_enabled and http_to_https_redirect flags. Improper configuration or misspelled fields could lead to misconfigurations.
  • Example:
    yaml
    ssl_enabled: true # Ensure this flag is mandatory and validated
    http_to_https_redirect: true # Add validation to avoid boolean misconfiguration

2. Default Values for New Flags

  • If ssl_enabled and http_to_https_redirect are not set, ensure there is a default value (preferably false) in case the fields are omitted. This can prevent unexpected runtime issues.
  • Example: 
    ssl_enabled: ${SSL_ENABLED:-false}
http_to_https_redirect: ${HTTP_TO_HTTPS_REDIRECT:-false}

3. Consistency between backend_lb_config.yaml and sbox.tfvars

  • Both files define ssl_enabled. Ensure all environments and contexts have the same behavior. Use environment-specific overrides if needed to avoid mismatches.

4. Security: Ensure HTTPS Configuration

  • For http_to_https_redirect, confirm that strong security protocols (e.g., TLS 1.2 or higher) are enforced in the HTTPS configuration to avoid vulnerabilities.

5. Carbon and Cost Impact

  • Redirecting HTTP to HTTPS could slightly increase compute usage for handling encrypted requests. Ensure this is optimized and that the load balancer or TLS termination uses efficient processing.
  • Estimated Cost Impact: Negligible to low, depending on number of SSL connections.
  • Carbon Impact: Minimal increase but could add up at scale if handled inefficiently.

6. Documentation and Change Context

  • Ensure there is an update to documentation explaining the purpose and use of the new ssl_enabled and http_to_https_redirect fields.
  • Include examples and possible impacts of enabling these features.

7. Testing and Validation

  • Add test cases, especially automated tests, covering scenarios like:
    • ssl_enabled set to true and false
    • http_to_https_redirect enabled, including edge cases like invalid URLs or misconfigured certificates.

8. Secrets Management for Certificates

  • Check if the certificate_name references a sensitive value like a certificate ARN or ID. Store such values securely using a secrets manager or an encrypted vault.

madjava
madjava reviewed Dec 5, 2025
View reviewed changes
Comment thread environments/sbox/sbox.tfvars
@@ -841,6 +841,7 @@ frontends = [
certificate_name = "wildcard-sandbox-platform-hmcts-net"
Copy link
Copy Markdown
Contributor

@madjava madjava Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @charlesluokb kindly remove cnfgw-fe-sbox.uksouth.cloudapp.azure.com from the backend_domain list. It's a remnant from a previous PoC and not in use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@madjava madjava madjava left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@charlesluokb @madjava