From d46be2964c0e623dcde29160ada7067c4c8ccce1 Mon Sep 17 00:00:00 2001
From: dwhitestratiform <52459927+dwhitestratiform@users.noreply.github.com>
Date: Mon, 12 Aug 2024 10:27:56 -0400
Subject: [PATCH] Adding WAF to sit in front of cognito for additional security
 (#139738)

---
 services/ui-auth/serverless.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/services/ui-auth/serverless.yml b/services/ui-auth/serverless.yml
index f309f8443..b8b50f50b 100644
--- a/services/ui-auth/serverless.yml
+++ b/services/ui-auth/serverless.yml
@@ -29,6 +29,7 @@ plugins:
   - serverless-bundle
   - serverless-iam-helper
   - serverless-s3-bucket-helper
+  - "@enterprise-cmcs/serverless-waf-plugin"
 
 s3BucketHelper:
   loggingConfiguration:
@@ -39,6 +40,11 @@ custom:
   project: "carts"
   stage: ${opt:stage, self:provider.stage}
   region: ${opt:region, self:provider.region}
+  wafPlugin:
+    name: ${self:service}-${self:custom.stage}-webacl-waf
+  wafExcludeRules:
+    awsCommon:
+      - "SizeRestrictions_BODY"
   serverlessTerminationProtection:
     stages:
       - main
@@ -115,6 +121,18 @@ resources:
             StringAttributeConstraints:
               MinLength: 0
               MaxLength: 256
+        UserPoolAddOns:
+          AdvancedSecurityMode: ENFORCED
+        UserPoolTags:
+          Name: ${self:custom.stage}-user-pool
+
+    # Associate the WAF Web ACL with the Cognito User Pool
+    CognitoUserPoolWAFAssociation:
+      Type: 'AWS::WAFv2::WebACLAssociation'
+      Properties:
+        ResourceArn: !GetAtt CognitoUserPool.Arn
+        WebACLArn: !GetAtt WafPluginAcl.Arn
+        
     CognitoUserPoolClient:
       Type: AWS::Cognito::UserPoolClient
       Properties: