Release/shared resources nine (#1047)

# Release Branch Pull Request

## Description of Changes

- DI Pen test WAF and DynamoDB changes
- Integration test case optimization

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Matthew Begley <60427904+mabe13@users.noreply.github.com>
Co-authored-by: Sindhu Natarajan <nsindhupriya@hotmail.co.uk>
Co-authored-by: ThomasC-Kainos <106971950+ThomasC-Kainos@users.noreply.github.com>
Co-authored-by: ajmu1 <ajmu1@hscic.gov.uk>
Co-authored-by: ManithaSrinivasa <142212846+ManithaSrinivasa@users.noreply.github.com>

Author: 6 people

build/automation/var/profile/demo.mk

@@ -40,6 +40,7 @@ SLACK_ALERT_CHANNEL := dos-integration-dev-status
 
 # WAF
 WAF_ENABLED := true
+DDB_DELETE_PROTECTION :=false
 
 # ==============================================================================
 # Performance variables

build/automation/var/profile/dev.mk

@@ -39,6 +39,7 @@ SLACK_ALERT_CHANNEL := dos-integration-dev-status
 
 # WAF
 WAF_ENABLED := false
+DDB_DELETE_PROTECTION :=false
 
 # ==============================================================================
 # Performance variables

build/automation/var/profile/live.mk

@@ -41,6 +41,7 @@ SLACK_ALERT_CHANNEL := dos-integration-live-status
 
 # WAF
 WAF_ENABLED := true
+DDB_DELETE_PROTECTION :=true
 
 # ==============================================================================
 # Performance variables

build/automation/var/profile/pen.mk

@@ -2,3 +2,4 @@
 
 # WAF
 WAF_ENABLED := true
+DDB_DELETE_PROTECTION :=false

build/automation/var/profile/perf.mk

@@ -39,6 +39,7 @@ SLACK_ALERT_CHANNEL := dos-integration-dev-status
 
 # WAF
 WAF_ENABLED := true
+DDB_DELETE_PROTECTION :=false
 
 # ==============================================================================
 # Performance variables

build/automation/var/profile/perf2.mk

@@ -39,6 +39,7 @@ SLACK_ALERT_CHANNEL := dos-integration-dev-status
 
 # WAF
 WAF_ENABLED := true
+DDB_DELETE_PROTECTION :=false
 
 # ==============================================================================
 # Performance variables

build/automation/var/project.mk

@@ -109,6 +109,7 @@ TF_VAR_change_event_dlq := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-change-event-dead
 # Dynamodb
 TF_VAR_change_events_table_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-change-events
 DYNAMO_DB_TABLE := $(TF_VAR_change_events_table_name)
+TF_VAR_ddb_delete_protection :=$(DDB_DELETE_PROTECTION)
 
 # Log Group Filters for Firehose
 TF_VAR_change_event_gateway_subscription_filter_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-change-event-api-gateway-cw-logs-firehose-subscription
@@ -140,6 +141,7 @@ TF_VAR_waf_ip_allow_list_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-ip
 TF_VAR_waf_rate_based_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-rate-based-rule
 TF_VAR_waf_aws_known_bad_inputs_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-aws-known-bad-inputs-rule
 TF_VAR_waf_aws_sqli_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-aws-sqli-rule
+TF_VAR_waf_custom_sqli_rule_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-waf-custom-sqli-rule
 
 # -------------------------------
 # BLUE/GREEN ENVIRONMENT VARIABLES

infrastructure/stacks/shared-resources/cloudwatch-waf-alarms.tf

@@ -118,6 +118,26 @@ resource "aws_cloudwatch_metric_alarm" "waf_aws_managed_sql_injection_blocked_re
   threshold          = "1"
 }
 
+resource "aws_cloudwatch_metric_alarm" "waf_custom_sql_injection_count_requests" {
+  count               = var.waf_enabled ? 1 : 0
+  alarm_actions       = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_default_region.arn]
+  alarm_description   = "WAF Custom SQL Injection Count Requests"
+  alarm_name          = "${var.project_id} | ${var.shared_environment} | WAF Custom SQL Injection Count Requests"
+  comparison_operator = "GreaterThanThreshold"
+  datapoints_to_alarm = "1"
+  dimensions = {
+    Rule   = var.waf_custom_sqli_rule_name
+    WebACL = var.waf_acl_name,
+    Region = var.aws_region
+  }
+  evaluation_periods = "1"
+  metric_name        = "CountedRequests"
+  namespace          = "AWS/WAFV2"
+  period             = "60"
+  statistic          = "Sum"
+  threshold          = "1"
+}
+
 resource "aws_cloudwatch_metric_alarm" "waf_aws_managed_ip_reputation_list_blocked_requests" {
   count               = var.waf_enabled ? 1 : 0
   alarm_actions       = [aws_sns_topic.shared_resources_sns_topic_app_alerts_for_slack_default_region.arn]

infrastructure/stacks/shared-resources/dynamodb.tf

@@ -3,6 +3,7 @@ resource "aws_dynamodb_table" "message-history-table" {
   billing_mode = "PAY_PER_REQUEST"
   hash_key     = "Id"
   range_key    = "ODSCode"
+  deletion_protection_enabled = var.ddb_delete_protection
 
   server_side_encryption {
     enabled     = true

infrastructure/stacks/shared-resources/variables.tf

@@ -158,6 +158,11 @@ variable "waf_enabled" {
   description = "Whether to enable WAF"
 }
 
+variable "ddb_delete_protection" {
+  type        = bool
+  description = "Whether to enable delete protection"
+}
+
 variable "waf_acl_name" {
   type        = string
   description = "Name of the WAF ACL"
@@ -211,3 +216,8 @@ variable "waf_aws_sqli_rule_name" {
   type        = string
   description = "WAF AWS SQLi rule name"
 }
+
+variable "waf_custom_sqli_rule_name" {
+  type        = string
+  description = "WAF custom SQLi rule name"
+}