Latest config samples tweaks (#774)

* tweak-configs

- auto-scale instance refresh reduced to 7 days from 30
- fix perimeter alb target group configurations
- align all example config files

* fix ami versions

* repush test config

* protect ASEA deployed net constructs in Sandbox

Author: Brian969

reference-artifacts/SAMPLE_CONFIGS/config.example.json

@@ -1067,7 +1067,7 @@
           "num-rdgw-hosts": 1,
           "min-rdgw-hosts": 1,
           "max-rdgw-hosts": 2,
-          "rdgw-max-instance-age": 30,
+          "rdgw-max-instance-age": 7,
           "rdgw-instance-type": "t2.large",
           "rdgw-instance-role": "${ACCELERATOR_PREFIX_ND}-RDGW-Role",
           "password-policies": {
@@ -1173,7 +1173,7 @@
           "rsyslog-instance-type": "t2.large",
           "rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",
           "rsyslog-root-volume-size": 100,
-          "rsyslog-max-instance-age": 30
+          "rsyslog-max-instance-age": 7
         }
       }
     },
@@ -1258,7 +1258,7 @@
           "access-logs": true,
           "targets": [
             {
-              "target-name": "FG1-Web-azA",
+              "target-name": "Firewalls",
               "target-type": "instance",
               "protocol": "HTTPS",
               "port": 7001,
@@ -1271,20 +1271,7 @@
                   "target": "firewall",
                   "name": "Firewall",
                   "az": "a"
-                }
-              ],
-              "tg-weight": 1
-            },
-            {
-              "target-name": "FG1-Web-azB",
-              "target-type": "instance",
-              "protocol": "HTTPS",
-              "port": 7001,
-              "health-check-protocol": "HTTPS",
-              "health-check-path": "/health-check",
-              "health-check-port": 7001,
-              "lambda-filename": "",
-              "target-instances": [
+                },
                 {
                   "target": "firewall",
                   "name": "Firewall",
@@ -1318,7 +1305,7 @@
           "access-logs": true,
           "targets": [
             {
-              "target-name": "FG1-Web-azA",
+              "target-name": "Firewalls",
               "target-type": "instance",
               "protocol": "HTTPS",
               "port": 7002,
@@ -1331,20 +1318,7 @@
                   "target": "firewall",
                   "name": "Firewall",
                   "az": "a"
-                }
-              ],
-              "tg-weight": 1
-            },
-            {
-              "target-name": "FG1-Web-azB",
-              "target-type": "instance",
-              "protocol": "HTTPS",
-              "port": 7002,
-              "health-check-protocol": "HTTPS",
-              "health-check-path": "/health-check",
-              "health-check-port": 7001,
-              "lambda-filename": "",
-              "target-instances": [
+                },
                 {
                   "target": "firewall",
                   "name": "Firewall",

reference-artifacts/SAMPLE_CONFIGS/config.lite-example.json

@@ -1007,7 +1007,7 @@
           "num-rdgw-hosts": 1,
           "min-rdgw-hosts": 1,
           "max-rdgw-hosts": 2,
-          "rdgw-max-instance-age": 30,
+          "rdgw-max-instance-age": 7,
           "rdgw-instance-type": "t2.large",
           "rdgw-instance-role": "${ACCELERATOR_PREFIX_ND}-RDGW-Role",
           "password-policies": {
@@ -1113,7 +1113,7 @@
           "rsyslog-instance-type": "t2.large",
           "rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",
           "rsyslog-root-volume-size": 100,
-          "rsyslog-max-instance-age": 30
+          "rsyslog-max-instance-age": 7
         }
       }
     },
@@ -1198,7 +1198,7 @@
           "access-logs": true,
           "targets": [
             {
-              "target-name": "FG1-Web-azA",
+              "target-name": "Firewalls",
               "target-type": "instance",
               "protocol": "HTTPS",
               "port": 7001,
@@ -1211,20 +1211,7 @@
                   "target": "firewall",
                   "name": "Firewall",
                   "az": "a"
-                }
-              ],
-              "tg-weight": 1
-            },
-            {
-              "target-name": "FG1-Web-azB",
-              "target-type": "instance",
-              "protocol": "HTTPS",
-              "port": 7001,
-              "health-check-protocol": "HTTPS",
-              "health-check-path": "/health-check",
-              "health-check-port": 7001,
-              "lambda-filename": "",
-              "target-instances": [
+                },
                 {
                   "target": "firewall",
                   "name": "Firewall",
@@ -1258,7 +1245,7 @@
           "access-logs": true,
           "targets": [
             {
-              "target-name": "FG1-Web-azA",
+              "target-name": "Firewalls",
               "target-type": "instance",
               "protocol": "HTTPS",
               "port": 7002,
@@ -1271,20 +1258,7 @@
                   "target": "firewall",
                   "name": "Firewall",
                   "az": "a"
-                }
-              ],
-              "tg-weight": 1
-            },
-            {
-              "target-name": "FG1-Web-azB",
-              "target-type": "instance",
-              "protocol": "HTTPS",
-              "port": 7002,
-              "health-check-protocol": "HTTPS",
-              "health-check-path": "/health-check",
-              "health-check-port": 7001,
-              "lambda-filename": "",
-              "target-instances": [
+                },
                 {
                   "target": "firewall",
                   "name": "Firewall",

reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json

@@ -1276,7 +1276,7 @@
           "num-rdgw-hosts": 1,
           "min-rdgw-hosts": 1,
           "max-rdgw-hosts": 2,
-          "rdgw-max-instance-age": 30,
+          "rdgw-max-instance-age": 7,
           "rdgw-instance-type": "t2.large",
           "rdgw-instance-role": "${ACCELERATOR_PREFIX_ND}-RDGW-Role",
           "password-policies": {
@@ -1382,7 +1382,7 @@
           "rsyslog-instance-type": "t2.large",
           "rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",
           "rsyslog-root-volume-size": 100,
-          "rsyslog-max-instance-age": 30
+          "rsyslog-max-instance-age": 7
         }
       }
     },
@@ -1467,7 +1467,7 @@
           "access-logs": true,
           "targets": [
             {
-              "target-name": "FG1-Web-azA",
+              "target-name": "Firewalls",
               "target-type": "instance",
               "protocol": "HTTPS",
               "port": 7001,
@@ -1480,20 +1480,7 @@
                   "target": "firewall",
                   "name": "Firewall",
                   "az": "a"
-                }
-              ],
-              "tg-weight": 1
-            },
-            {
-              "target-name": "FG1-Web-azB",
-              "target-type": "instance",
-              "protocol": "HTTPS",
-              "port": 7001,
-              "health-check-protocol": "HTTPS",
-              "health-check-path": "/health-check",
-              "health-check-port": 7001,
-              "lambda-filename": "",
-              "target-instances": [
+                },
                 {
                   "target": "firewall",
                   "name": "Firewall",
@@ -1527,7 +1514,7 @@
           "access-logs": true,
           "targets": [
             {
-              "target-name": "FG1-Web-azA",
+              "target-name": "Firewalls",
               "target-type": "instance",
               "protocol": "HTTPS",
               "port": 7002,
@@ -1540,20 +1527,7 @@
                   "target": "firewall",
                   "name": "Firewall",
                   "az": "a"
-                }
-              ],
-              "tg-weight": 1
-            },
-            {
-              "target-name": "FG1-Web-azB",
-              "target-type": "instance",
-              "protocol": "HTTPS",
-              "port": 7002,
-              "health-check-protocol": "HTTPS",
-              "health-check-path": "/health-check",
-              "health-check-port": 7001,
-              "lambda-filename": "",
-              "target-instances": [
+                },
                 {
                   "target": "firewall",
                   "name": "Firewall",

…PLE_CONFIGS/BAD-config.test-example.json …/SAMPLE_CONFIGS/config.test-example.jsonreference-artifacts/SAMPLE_CONFIGS/BAD-config.test-example.json renamed to reference-artifacts/SAMPLE_CONFIGS/config.test-example.json reference-artifacts/SAMPLE_CONFIGS/BAD-config.test-example.json renamed to reference-artifacts/SAMPLE_CONFIGS/config.test-example.json

@@ -1,5 +1,4 @@
 {
-"NOTE": "THIS FILE IS CONTAMINATED WITH ARTIFACTS FROM FUTURE v1.5.0",
   "replacements": {
     "addl_regions": {
       "a": ["${HOME_REGION}"],
@@ -1063,7 +1062,7 @@
           "num-rdgw-hosts": 1,
           "min-rdgw-hosts": 1,
           "max-rdgw-hosts": 2,
-          "rdgw-max-instance-age": 30,
+          "rdgw-max-instance-age": 7,
           "rdgw-instance-type": "t2.medium",
           "rdgw-instance-role": "${ACCELERATOR_PREFIX_ND}-RDGW-Role",
           "password-policies": {
@@ -1169,7 +1168,7 @@
           "rsyslog-instance-type": "t2.medium",
           "rsyslog-instance-role": "${ACCELERATOR_PREFIX_ND}-Rsyslog-Role",
           "rsyslog-root-volume-size": 100,
-          "rsyslog-max-instance-age": 30
+          "rsyslog-max-instance-age": 7
         }
       }
     },
@@ -1254,7 +1253,7 @@
           "access-logs": true,
           "targets": [
             {
-              "target-name": "FG1-Web-azA",
+              "target-name": "Firewalls",
               "target-type": "instance",
               "protocol": "HTTPS",
               "port": 7001,
@@ -1267,20 +1266,7 @@
                   "target": "firewall",
                   "name": "Firewall",
                   "az": "a"
-                }
-              ],
-              "tg-weight": 1
-            },
-            {
-              "target-name": "FG1-Web-azB",
-              "target-type": "instance",
-              "protocol": "HTTPS",
-              "port": 7001,
-              "health-check-protocol": "HTTPS",
-              "health-check-path": "/health-check",
-              "health-check-port": 7001,
-              "lambda-filename": "",
-              "target-instances": [
+                },
                 {
                   "target": "firewall",
                   "name": "Firewall",
@@ -1314,7 +1300,7 @@
           "access-logs": true,
           "targets": [
             {
-              "target-name": "FG1-Web-azA",
+              "target-name": "Firewalls",
               "target-type": "instance",
               "protocol": "HTTPS",
               "port": 7002,
@@ -1327,20 +1313,7 @@
                   "target": "firewall",
                   "name": "Firewall",
                   "az": "a"
-                }
-              ],
-              "tg-weight": 1
-            },
-            {
-              "target-name": "FG1-Web-azB",
-              "target-type": "instance",
-              "protocol": "HTTPS",
-              "port": 7002,
-              "health-check-protocol": "HTTPS",
-              "health-check-path": "/health-check",
-              "health-check-port": 7001,
-              "lambda-filename": "",
-              "target-instances": [
+                },
                 {
                   "target": "firewall",
                   "name": "Firewall",

reference-artifacts/SCPs/ASEA-Guardrails-Sandbox.json

@@ -1,6 +1,39 @@
 {
   "Version": "2012-10-17",
   "Statement": [
+    {
+      "Sid": "DenySBTag",
+      "Effect": "Deny",
+      "Action": [
+        "ec2:DeleteNatGateway",
+        "ec2:DeleteTransitGatewayRoute",
+        "ec2:DeleteTransitGatewayRouteTable",
+        "ec2:DeleteTransitGatewayVpcAttachment",
+        "ec2:DeleteVpc",
+        "ec2:DeleteVpcEndpoints",
+        "ec2:DeleteVpcPeeringConnection",
+        "ec2:DeleteCustomerGateway",
+        "ec2:DeleteDhcpOptions",
+        "ec2:DeleteInternetGateway",
+        "ec2:DeleteRouteTable",
+        "ec2:DeleteSubnet",
+        "ec2:DeleteRoute",
+        "ec2:DetachInternetGateway",
+        "ec2:DisassociateRouteTable"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "ec2:ResourceTag/Accelerator": "${ACCELERATOR_NAME}"
+        },
+        "ArnNotLike": {
+          "aws:PrincipalArn": [
+            "arn:aws:iam::*:role/${ACCELERATOR_PREFIX}*",
+            "arn:aws:iam::*:role/${ACCELERATOR_NAME}Ops-*"
+          ]
+        }
+      }
+    },
     {
       "Sid": "DenyAllOutsideCanadaUS",
       "Effect": "Deny",