[QOLDEV-908] replace classic WAF with v2

templates/waf_web_acl.cfn.yml

@@ -8,6 +8,35 @@ Parameters:
     Type: String
     Default: CKAN
 Resources:
+  WebACLv2:
+    Type: "AWS::WAFv2::WebACL"
+    Properties:
+      Name: !Sub "${Environment}-${Platform}-WebACLv2"
+      Description: !Sub "${Environment} ${Platform} WAFv2 Web ACL to block traffic based on defined rules."
+      Scope: CLOUDFRONT
+      DefaultAction:
+        Allow: {}
+      VisibilityConfig:
+        CloudWatchMetricsEnabled: true
+        MetricName: "WafWebACL"
+        SampledRequestsEnabled: true
+      Rules:
+        - Name: !Sub "${Environment}-${Platform}-XSSRule"
+          Priority: 1
+          Action:
+            Block: {}
+          Statement:
+            XssMatchStatement:
+              FieldToMatch:
+                UriPath: {}
+              TextTransformations:
+                - Priority: 0
+                  Type: NONE
+          VisibilityConfig:
+            CloudWatchMetricsEnabled: true
+            MetricName: "XSSRule"
+            SampledRequestsEnabled: true
+
   WebACL:
     Type: "AWS::WAF::WebACL"
     Properties:
@@ -53,7 +82,7 @@ Resources:
     Properties:
       Name: !Sub "/config/CKAN/${Environment}/common/waf_acl_id"
       Type: String
-      Value: !Ref WebACL
+      Value: !GetAtt WebACLv2.Arn
 
 Outputs:
   WebACLId: