Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dummy split channels #1495

Closed
wants to merge 7 commits into from
Closed

Dummy split channels #1495

wants to merge 7 commits into from

Conversation

pluckyswan
Copy link
Contributor

Add a PR title

Describe what changed in this PR at a high level.

Issue

Add a link to the issue here. Consider using
closing keywords
if the this PR isn't for a story (stories will be closed through different means).

Checklist

  • I have added tests to cover my changes
  • I have added logging where useful (with appropriate log level)
  • I have added JavaDocs where required
  • I have updated the documentation accordingly

Note: You may remove items that are not applicable

somesylvie and others added 7 commits October 25, 2024 11:56
@github-actions GitHub Actions
Copy link

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪
🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

Configuration Clarity
The configuration for alert email addresses should be clearly documented to avoid confusion between production and non-production environments.

Security Concern
The use of secrets directly in the workflow files should be reviewed to ensure they are securely managed and not exposed.

github-actions[bot]
github-actions bot reviewed Oct 25, 2024
View reviewed changes
operations/template/alert.tf
name = "cdcti-flexion-slack-email-receiver"
name = "cdcti-flexion-slack-email-receiver"
// This variable is set in the `env-deploy.yml` GH action for each environment
// We use a different email address/Slack channel for prod and non-prod alerts
email_address = var.alert_slack_email
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding a conditional check to ensure that the email_address variable is not empty before applying the configuration. This can prevent misconfiguration that might lead to missing alerts. [important]

.github/workflows/cicd.yml
@@ -29,7 +29,7 @@ jobs:
VPN_CA_CERTIFICATE: ${{ secrets.VPN_CA_CERTIFICATE }}
VPN_GITHUB_CERTIFICATE: ${{ secrets.VPN_GITHUB_CERTIFICATE}}
VPN_GITHUB_SECRET_KEY: ${{ secrets.VPN_GITHUB_SECRET_KEY }}
TERRAFORM_APPLY_PARAMETERS: -var="alert_slack_email=${{ secrets.ALERT_SLACK_EMAIL }}"
TERRAFORM_APPLY_PARAMETERS: -var="alert_slack_email=${{ secrets.NON_PROD_ALERT_SLACK_EMAIL }}"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's recommended to encapsulate the Terraform apply parameters into a script or a separate step to enhance readability and maintainability of the workflow file. [medium]

adr/020-azure-alerts.md

To ensure rapid response to application failures within our CI/CD infrastructure, we require real-time notifications for critical issues. The current alert setup focuses on:
Alerts are configured in [alert.tf](../operations/template/alert.tf). To reduce
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To improve the documentation, consider adding a section on how to troubleshoot common issues with Azure alerts, which could be beneficial for new team members or during incident response. [medium]

@github-actions GitHub Actions
Copy link

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Score
Best practice
Implement error handling in Terraform commands to enhance robustness and error visibility

Add error handling for the Terraform destroy command to manage potential failures
gracefully, especially when using dynamic variables like pr_number and
alert_slack_email.

.github/workflows/terraform-ci-destroy.yml [56]

-run: terraform destroy -auto-approve -input=false -var="pr_number=${{ github.event.number }}" -var="alert_slack_email=${{ secrets.NON_PROD_ALERT_SLACK_EMAIL }}"
+run: terraform destroy -auto-approve -input=false -var="pr_number=${{ github.event.number }}" -var="alert_slack_email=${{ secrets.NON_PROD_ALERT_SLACK_EMAIL }}" || echo "Error during destruction"
Suggestion importance[1-10]: 7

Why: Adding error handling to the Terraform destroy command is a practical improvement that enhances the robustness of the deployment process. The suggestion includes a specific implementation which makes it actionable and relevant.

7
Validate secret values before use to prevent deployment issues

Consider adding a conditional check to ensure that
secrets.NON_PROD_ALERT_SLACK_EMAIL is not empty or incorrectly formatted before
using it in the Terraform apply parameters to prevent deployment failures.

.github/workflows/cicd.yml [32]

-TERRAFORM_APPLY_PARAMETERS: -var="alert_slack_email=${{ secrets.NON_PROD_ALERT_SLACK_EMAIL }}"
+TERRAFORM_APPLY_PARAMETERS: -var="alert_slack_email=${{ secrets.NON_PROD_ALERT_SLACK_EMAIL }}"  # Ensure this secret is validated
Suggestion importance[1-10]: 5

Why: Validating the secrets.NON_PROD_ALERT_SLACK_EMAIL before use is a good practice to avoid deployment failures. However, the suggestion lacks a concrete implementation of the validation check, reducing its practical applicability.

5
Security
Add validation for dynamically set email addresses to enhance security and configuration accuracy

Ensure that the email_address variable is properly validated or sanitized to prevent
potential security risks or misconfiguration, especially since it is dynamically set
from environment-specific secrets.

operations/template/alert.tf [11]

 email_receiver {
   name = "cdcti-flexion-slack-email-receiver"
-  email_address = var.alert_slack_email
+  email_address = sanitize(var.alert_slack_email)  # Assuming sanitize is a hypothetical function for validation
 }
Suggestion importance[1-10]: 6

Why: The suggestion to validate the email_address variable is relevant and enhances security. However, the provided improved_code uses a hypothetical function sanitize, which is not defined or implemented in the PR, making the suggestion partially actionable.

6
Verify that secrets comply with security policies to maintain secure and consistent configuration management

Ensure consistency in secret management by verifying that
secrets.PROD_ALERT_SLACK_EMAIL is aligned with your organization's security policies
and access controls.

.github/workflows/prod-deploy.yml [29]

-TERRAFORM_APPLY_PARAMETERS: -var="alert_slack_email=${{ secrets.PROD_ALERT_SLACK_EMAIL }}"
+TERRAFORM_APPLY_PARAMETERS: -var="alert_slack_email=${{ secrets.PROD_ALERT_SLACK_EMAIL }}"  # Verify compliance with security policies
Suggestion importance[1-10]: 4

Why: Ensuring that secrets comply with security policies is important, but the suggestion does not provide a specific method or implementation to verify this compliance, making it less actionable.

4

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@pluckyswan pluckyswan closed this Oct 30, 2024
@pluckyswan pluckyswan deleted the dummy-split-channels branch October 30, 2024 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pluckyswan @somesylvie