Adding WAF to sit in front of cognito for additional security

[dwhitestratiform]

Description

AWS Cognito has API endpoints that are public similar to api gateway or cloudfront it is a good practice to protect this resource with a web application firewall (WAF) to restrict traffic and provide additional security measures from the firewall. This PR adds a WAF to cognito following the pattern of the other MDCT apps.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html

Related ticket(s)

https://jiraent.cms.gov/browse/CMDCT-3665

---

How to test

after merge to main log into main env with idm user to verify no issues are seen.

Important updates

I'm not crazy about adding more severless changes as we're attempting to migrate to the cdk but its a fairly straight approach from our other services so when we do waf changes in any other service for cdk that will just carry over to here.

---

Author checklist

• I have performed a self-review of my code
• I have added thorough tests, if necessary
• [] I have updated relevant documentation, if necessary

---

convert to a different template: test → val | val → prod

[codeclimate]

Code Climate has analyzed commit cbf413d and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (90% is the threshold).

This pull request will bring the total coverage in the repository to 80.8% (0.0% change).

View more on Code Climate.