Update main.tf

[reespozzi]

Jira link

See PROJ-XXXXXX

Change description

Testing done

Security Vulnerability Assessment

CVE Suppression: Are there any CVEs present in the codebase (either newly introduced or pre-existing) that are being intentionally suppressed or ignored by this commit?

• Yes
• No

Checklist

• commit messages are meaningful and follow good commit message guidelines
• README and other documentation has been updated / added (if needed)
• tests have been updated / new tests has been added (if needed)
• Does this PR introduce a breaking change

Link to Terraform Plan

https://tfplan-viewer.hmcts.net/azure-platform-terraform/2738

🤖AEP PR SUMMARY🤖

Changes summary:

• azure_pipeline.yaml 🚧

  • Removed multiple detailed deployment blocks for various environments and components.
  • Simplified definitions by keeping only the 'sbox_global' deployment block.
  • Removed many environment-specific parameter objects and their dependencies.

• components/global/main.tf 🛠️

  • Updated Terraform module source version for premium_front_door module from master to fix-tf-inconsistent-plan branch.

[github-actions]

Observations and Suggestions for Improvement

1. Alignment of Inputs in azure_pipeline.yaml:

   • Many input entries in the YAML file are misaligned or contain redundant empty lines (+ + + + + +), which can lead to visual clutter and make the file harder to read or maintain.
   • Suggested Improvement:
     Replace the block of + + + + + + with consistently aligned and meaningful data or remove excess empty entries. If these are placeholders, add comments to clarify their purpose. Example:
     yaml
     • deployment: 'prod_global'
       environment: 'prod'
       component: 'global'
       service_connection: 'dcd-cftapps-prod'
       storage_account_rg: 'core-infra-prod-rg'
       storage_account_name: 'cftappsprod'
       dependsOn: 'sbox_global'

2. Modularization of Repeating YAML Blocks:

   • A significant amount of the YAML content is repetitive (e.g., for various environments like sbox, prod, test). This drives maintenance overhead and potential human errors.
   • Suggested Improvement:
     Refactor the repetitive sections by using YAML templates or loops (if supported by your CI system). Reduce duplication by defining a function for common properties and parametrizing environment-specific values.
     Example (using YAML anchors and aliases):

     common_params: &common_params
       service_connection: 'dcd-cftapps-'
       storage_account_rg: 'core-infra-'
       storage_account_name: 'cftapps'
     
     deployments:
       - environment: 'prod'
         <<: *common_params
         service_connection: 'dcd-cftapps-prod'
         storage_account_rg: 'core-infra-prod-rg'
         storage_account_name: 'cftappsprod'

3. Terraform Module Reference Update:

   • In components/global/main.tf, the source reference for the premium_front_door module is changed from master to fix-tf-inconsistent-plan. While this might address a specific issue, it would be better to refer to a tagged release to adhere to best practices and avoid unintended changes from the branch.
   • Suggested Improvement:
     Modify the source to use a stable release tag instead of a branch. Example:

     source = \"git::https://github.com/hmcts/terraform-module-frontdoor.git?ref=v1.2.3\"

4. Carbon and Cost Considerations:

   • The pipeline seems to have multiple environments (prod, test, stg, etc.), each replicating similar infrastructure. This can increase cloud consumption costs and has an environmental impact.
   • Suggested Improvement:
     Evaluate the necessity of maintaining all environments. Consolidate or reuse environments where possible to reduce unused or underutilized resources. Implement scheduled resource cleanup for non-production environments to conserve costs.

5. Security Best Practices:

   • Service connection values (service_connection) and sensitive identifiers like storage_account_rg and storage_account_name are defined in plaintext. Though this might be tolerable in this context, storing sensitive information in the pipeline code directly can be risky.
   • Suggested Improvement:
     Use variable groups or pipeline secrets to securely store sensitive configurations. Replace direct definitions with secret variable references. Example:

     service_connection: $(service_connection_name)

6. Error Handling and Validation:

   • The YAML lacks clear error handling or validation for input parameters like the environment or service connection names. This could cause failures during pipeline execution.

   • Suggested Improvement:
     Add input validation logic or default cases for mandatory parameters. For example, you can verify acceptable values for environment using allowedValues.

     Example:

     parameters:
       - name: environment
         type: string
         default: 'sbox'
         allowedValues:
           - sbox
           - prod
           - test
           - stg

Summary

• Code Quality: Refactor redundant YAML blocks and align entries properly.
• Best Practice: Use tags for Terraform modules, avoid direct use of branch references.
• Security: Store sensitive variables like service connections in pipeline secrets.
• Cost/Carbon Usage: Consolidate environments and schedule resource cleanup for less-used environments to reduce both costs and emissions.
• Estimated Impact on Cost and Carbon Usage: Depending on the size of environments, merging or optimizing non-production environments could significantly reduce usage and costs, potentially saving hundreds to thousands of GBP annually while lowering carbon emissions linked to cloud infrastructure.

[hmcts-platform-operations]

Tip

✅ master branch build is now passing!

Build: #apply - Azure Platform

[hmcts-platform-operations]

Tip

✅ master branch build is now passing!

Build: #apply - Azure Platform

[hmcts-platform-operations]

Tip

✅ master branch build is now passing!

Build: #apply - Azure Platform