Added custom waf rule to prevent sqli

build/automation/var/project.mk

@@ -140,6 +140,7 @@ TF_VAR_waf_ip_allow_list_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-ip
 TF_VAR_waf_rate_based_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-rate-based-rule
 TF_VAR_waf_aws_known_bad_inputs_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-aws-known-bad-inputs-rule
 TF_VAR_waf_aws_sqli_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-aws-sqli-rule
+TF_VAR_waf_custom_sqli_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-custom-sqli-rule
 
 # -------------------------------
 # BLUE/GREEN ENVIRONMENT VARIABLES

infrastructure/stacks/shared-resources/cloudwatch-waf-alarms.tf

@@ -118,6 +118,26 @@ resource "aws_cloudwatch_metric_alarm" "waf_aws_managed_sql_injection_blocked_re
   threshold          = "1"
 }
 
+resource "aws_cloudwatch_metric_alarm" "waf_custom_sql_injection_blocked_requests" {
+  count               = var.waf_enabled ? 1 : 0
+  alarm_actions       = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_default_region.arn]
+  alarm_description   = "WAF Custom SQL Injection Blocked Requests"
+  alarm_name          = "${var.project_id} | ${var.shared_environment} | WAF Custom SQL Injection Blocked Requests"
+  comparison_operator = "GreaterThanThreshold"
+  datapoints_to_alarm = "1"
+  dimensions = {
+    Rule   = var.waf_custom_sqli_rule_name
+    WebACL = var.waf_acl_name,
+    Region = var.aws_region
+  }
+  evaluation_periods = "1"
+  metric_name        = "BlockedRequests"
+  namespace          = "AWS/WAFV2"
+  period             = "60"
+  statistic          = "Sum"
+  threshold          = "1"
+}
+
 resource "aws_cloudwatch_metric_alarm" "waf_aws_managed_ip_reputation_list_blocked_requests" {
   count               = var.waf_enabled ? 1 : 0
   alarm_actions       = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_default_region.arn]

infrastructure/stacks/shared-resources/variables.tf

@@ -211,3 +211,8 @@ variable "waf_aws_sqli_rule_name" {
   type        = string
   description = "WAF AWS SQLi rule name"
 }
+
+variable "waf_custom_sqli_rule_name" {
+  type        = string
+  description = "WAF Custom SQLi rule name"
+}

infrastructure/stacks/shared-resources/waf.tf

@@ -156,19 +156,46 @@ resource "aws_wafv2_web_acl" "di_endpoint_waf" {
         vendor_name = "AWS"
       }
 
+      # sqli_match_statement {
+      #   sensitivity_level = "HIGH"
+      #   text_transformation {
+      #     priority = 0
+      #     type = "LOWERCASE"
+      #   }
+      # }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = var.waf_aws_sqli_rule_name
+      sampled_requests_enabled   = true
+    }
+  }
+
+  rule {
+    name     = var.waf_custom_sqli_rule_name
+    priority = 8
+
+    action {
+      count {}
+    }
+
+    statement {
       sqli_match_statement {
+        field_to_match {
+          body {}
+        }
         sensitivity_level = "HIGH"
         text_transformation {
           priority = 0
-          type = "LOWERCASE"
+          type = "NONE"
         }
       }
     }
-
     visibility_config {
+      sampled_requests_enabled = true
+      metric_name = var.waf_custom_sqli_rule_name
       cloudwatch_metrics_enabled = true
-      metric_name                = var.waf_aws_sqli_rule_name
-      sampled_requests_enabled   = true
     }
   }