Skip to content

DFR-4794: Test old div PFE for WAF updates#2850

Open
joe-wilko-hmcts wants to merge 2 commits intomasterfrom
DFR-4794
Open

DFR-4794: Test old div PFE for WAF updates#2850
joe-wilko-hmcts wants to merge 2 commits intomasterfrom
DFR-4794

Conversation

@joe-wilko-hmcts
Copy link
Copy Markdown

@joe-wilko-hmcts joe-wilko-hmcts commented Mar 30, 2026
edited by github-actions Bot
Loading

https://tools.hmcts.net/jira/browse/DFR-4794

Change description

This PR updates the configuration in AAT to align with the recent prod.tfvars changes for div-pfe WAF config.

Testing done

Security Vulnerability Assessment

CVE Suppression: Are there any CVEs present in the codebase (either newly introduced or pre-existing) that are being intentionally suppressed or ignored by this commit?

  • Yes
  • No

Checklist

  • commit messages are meaningful and follow good commit message guidelines
  • README and other documentation has been updated / added (if needed)
  • tests have been updated / new tests has been added (if needed)
  • Does this PR introduce a breaking change

Link to Terraform Plan

https://tfplan-viewer.hmcts.net/azure-platform-terraform/2850

🤖AEP PR SUMMARY🤖

  • environments/stg/stg.tfvars
    🆕 Added multiple new frontend IDs to the existing frontends list, expanding the targets for configuration.
    🔍 Introduced new request matching criteria including:
    • Several RequestCookieNames matchers for cookies like "nfdiv-cookie-preferences", "dtCookie", and "nfdiv-session".
    • New QueryStringArgNames matchers including "lng", "code", and "client_id".
    • Extended RequestBodyPostArgNames matchers that now include various uploaded files parameters related to applicants and clarifications (e.g. "applicant1UploadedFiles", "applicant2UploadedFiles", "coClarificationUploadedFiles", and others).
      These additions enhance filtering or routing rules based on cookies, query parameters, and POST body arguments.

@joe-wilko-hmcts
DFR-4794: Update stg.tfvars to match changes from prod.tfvars for div…
59bd92f 
…-pfe

# Add disabled_rule:
- 942340

# Add global_exclusions:
- RequestCookieNames - nfdiv-cookie-preferences
- RequestCookieNames - dtCookie
- RequestCookieNames - nfdiv-session
- QueryStringArgNames - lng
- QueryStringArgNames - code
- QueryStringArgNames - client_id
- RequestBodyPostArgNames - applicant1UploadedFiles
- RequestBodyPostArgNames - applicant2UploadedFiles
- RequestBodyPostArgNames - coClarificationUploadedFiles
- RequestBodyPostArgNames - app1RfiDraftResponseUploadedFiles
- RequestBodyPostArgNames - app2RfiDraftResponseUploadedFiles
- RequestBodyPostArgNames - applicant1InterimAppsEvidenceUploadedFiles
- RequestBodyPostArgNames - applicant2InterimAppsEvidenceUploadedFiles
- RequestBodyPostArgNames - applicant2LegalProceedingUploadedFiles
@joe-wilko-hmcts joe-wilko-hmcts requested a review from a team as a code owner March 30, 2026 15:21
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 30, 2026
edited
Loading

Review of Changes and Suggestions for Improvement

Code Quality & Best Practices

  1. Repeated Patterns: The match_variable, operator, and selector structure is repeated. Consider using a loop or a consolidated structure to improve maintainability and reduce redundancy.

    • Example:
      hcl
      match_variable_entries = [
      { match_variable = "RequestCookieNames", operator = "Equals", selector = "nfdiv-cookie-preferences" },
      { match_variable = "RequestCookieNames", operator = "Equals", selector = "dtCookie" },
      ...
      ]

      for_each = match_variable_entries
      resource "xyz" {
      match_variable = each.value.match_variable
      operator = each.value.operator
      selector = each.value.selector
      }

  2. Consistent Ordering: Ensure attributes like match_variable are consistently alphabetized or grouped logically to make future diffs easier to review.

  3. Use Named Descriptions: Add comments or descriptions about why specific rules are needed. This will help future maintainers understand the broader context of these configurations.

Security Considerations

  1. Sensitive Match Patterns: Some selectors like code, client_id, and RequestBodyPostArgNames (e.g., uploadedFiles) may suggest sensitive data. Ensure proper controls in downstream systems to sanitize these inputs.
    • Validate that no unintended sensitive data is being exposed or logged during processing.

Cost and Carbon Usage

  1. Resource Optimization: This file likely influences system rules. Evaluate if combining some patterns (e.g., using StartsWith instead of Equals for cookie prefixes) could reduce operational overhead.
    • Example: 
      { match_variable = \"RequestCookieNames\", operator = \"StartsWith\", selector = \"nfdiv-\" }
    • Benefits: Fewer system rules could translate into lower processing costs and reduced CPU cycles, indirectly impacting energy usage and costs.

Suggested Action Items

  • Refactor repetitive blocks: Explore a for_each or similar iterative structure.
  • Add comments: Describe the purpose of new selectors.
  • Audit sensitive fields: Ensure fields like client_id and uploaded file references are necessary and protected.
  • Optimize matching: Use broader match patterns (e.g., StartsWith) where appropriate to minimize rule duplication.

@hmcts-platform-operations
Copy link
Copy Markdown

hmcts-platform-operations commented Mar 30, 2026

Tip

✅ master branch build is now passing!

Build: #apply - Azure Platform

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Apr 15, 2026

Azure Pipelines:
Successfully started running 1 pipeline(s).

@hmcts-platform-operations
Copy link
Copy Markdown

hmcts-platform-operations commented Apr 15, 2026

Tip

✅ master branch build is now passing!

Build: #apply - Azure Platform

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hannah38 hannah38 hannah38 approved these changes

@dawudgovuk dawudgovuk dawudgovuk approved these changes

@al-hmcts al-hmcts al-hmcts approved these changes

@DanielKChristou DanielKChristou Awaiting requested review from DanielKChristou DanielKChristou is a code owner automatically assigned from hmcts/platform-operations

@roycohen1 roycohen1 Awaiting requested review from roycohen1 roycohen1 is a code owner automatically assigned from hmcts/platform-operations

@ieuanb74 ieuanb74 Awaiting requested review from ieuanb74 ieuanb74 is a code owner automatically assigned from hmcts/platform-operations

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@joe-wilko-hmcts @hmcts-platform-operations @hannah38 @dawudgovuk @al-hmcts