DS-2844 Missing rule config for WAF SQLi rule (#1041)

# Task Branch Pull Request

**<https://nhsd-jira.digital.nhs.uk/browse/DS-2844>**

## Description of Changes

This PR creates a custom WAF rule to identify the SQL injection attacks
in change event request.
Please include a summary of the change

## Type of change

- Security enhancements(Prevention of SQL injections)

## Development Checklist

- [x] I have performed a self-review of my own code
- [x] Tests have added that prove my fix is effective or that my feature
works (Integration tests)
- [x] I have updated Dependabot to include my changes (if applicable)

## Code Reviewer Checklist

- [x] I can confirm the changes have been tested or approved by a tester

Author: ajmu1

build/automation/var/project.mk

@@ -141,6 +141,7 @@ TF_VAR_waf_ip_allow_list_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-ip
 TF_VAR_waf_rate_based_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-rate-based-rule
 TF_VAR_waf_aws_known_bad_inputs_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-aws-known-bad-inputs-rule
 TF_VAR_waf_aws_sqli_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-aws-sqli-rule
+TF_VAR_waf_custom_sqli_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-custom-sqli-rule
 
 # -------------------------------
 # BLUE/GREEN ENVIRONMENT VARIABLES

infrastructure/stacks/shared-resources/cloudwatch-waf-alarms.tf

@@ -118,6 +118,26 @@ resource "aws_cloudwatch_metric_alarm" "waf_aws_managed_sql_injection_blocked_re
   threshold          = "1"
 }
 
+resource "aws_cloudwatch_metric_alarm" "waf_custom_sql_injection_count_requests" {
+  count               = var.waf_enabled ? 1 : 0
+  alarm_actions       = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_default_region.arn]
+  alarm_description   = "WAF Custom SQL Injection Count Requests"
+  alarm_name          = "${var.project_id} | ${var.shared_environment} | WAF Custom SQL Injection Count Requests"
+  comparison_operator = "GreaterThanThreshold"
+  datapoints_to_alarm = "1"
+  dimensions = {
+    Rule   = var.waf_custom_sqli_rule_name
+    WebACL = var.waf_acl_name,
+    Region = var.aws_region
+  }
+  evaluation_periods = "1"
+  metric_name        = "CountedRequests"
+  namespace          = "AWS/WAFV2"
+  period             = "60"
+  statistic          = "Sum"
+  threshold          = "1"
+}
+
 resource "aws_cloudwatch_metric_alarm" "waf_aws_managed_ip_reputation_list_blocked_requests" {
   count               = var.waf_enabled ? 1 : 0
   alarm_actions       = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_default_region.arn]

infrastructure/stacks/shared-resources/variables.tf

@@ -216,3 +216,8 @@ variable "waf_aws_sqli_rule_name" {
   type        = string
   description = "WAF AWS SQLi rule name"
 }
+
+variable "waf_custom_sqli_rule_name" {
+  type        = string
+  description = "WAF custom SQLi rule name"
+}

infrastructure/stacks/shared-resources/waf.tf

@@ -164,6 +164,33 @@ resource "aws_wafv2_web_acl" "di_endpoint_waf" {
     }
   }
 
+  rule {
+    name     = var.waf_custom_sqli_rule_name
+    priority = 8
+
+    action {
+      count {}
+    }
+
+    statement {
+      sqli_match_statement {
+        field_to_match {
+          body {}
+        }
+        sensitivity_level = "HIGH"
+        text_transformation {
+          priority = 0
+          type = "NONE"
+        }
+      }
+    }
+    visibility_config {
+      sampled_requests_enabled = true
+      metric_name = var.waf_custom_sqli_rule_name
+      cloudwatch_metrics_enabled = true
+    }
+  }
+
   rule {
     name     = var.waf_ip_reputation_list_rule_name
     priority = 7