tweak FQDNs in config (#441)

Brian969 · web-flow · commit 90da97886eef · 2020-10-27T16:21:52.000-04:00
* tweak FQDNs in config

* fix typos
diff --git a/docs/installation/installation.md b/docs/installation/installation.md
@@ -55,7 +55,7 @@ These installation instructions assume the prescribed architecture is being depl
 - Limit increase to support a minimum of 6 new sub-accounts plus any additional workload accounts
 - Valid configuration file, updated to reflect your deployment (see below)
 - Determine your primary or Accelerator 'control' or 'home' region. These instructions have been written assuming `ca-central-1`, but any supported region can be substituted.
-- The Accelerator _can_ be installed into existing AWS Organizations - see caveats and notes in section 3.3 below
+- The Accelerator _can_ be installed into existing AWS Organizations - see caveats and notes in section 5.2 below
 - Existing ALZ customers are required to remove their ALZ deployment before deploying the Accelerator. Scripts are available to assist with this process. Due to long-term supportability concerns, we no longer support installing the Accelerator on top of the ALZ.
 
 ### 2.1.2. Accelerator Pre-Install Steps
@@ -524,7 +524,7 @@ The Accelerator will not create/update/delete new AD users or groups, nor will i
 - While generally protected, do not delete/update/change s3 buckets with CDK, CFN, or PBMMAccel- in _any_ sub-accounts.- ALB automated deployments only supports Forward and not redirect rules.
 - The Accelerator deploys SNS topics to send email alerts and notifications. Given email is not a secure transport mechanism, we have chosen not to enable SNS encryption on these topics at this time.
 - AWS generally discourages cross-account KMS key usage. As the Accelerator centralizes logs across an entire organization (security best practice), this is an exception/example of a unique situation where cross-account KMS key access is required.
-- The Accelerator aggregates all logs in the log-archive account using Kinesis Data and Kinesis Firehose as aggregration tools where the logs could persist for up to 24 hours. These logs are encrypted with Customer Managed KMS keys once stored in S3 (ELB logs only support AES256). These logs are also encrypted in transit using TLS encryption. At this time, we have not enabled Kinesis at-rest encryption, we will reconsider this decision based on customer feedback.
+- The Accelerator aggregates all logs in the log-archive account using Kinesis Data and Kinesis Firehose as aggregation tools where the logs could persist for up to 24 hours. These logs are encrypted with Customer Managed KMS keys once stored in S3 (ELB logs only support AES256). These logs are also encrypted in transit using TLS encryption. At this time, we have not enabled Kinesis at-rest encryption, we will reconsider this decision based on customer feedback.
 - AWS Config Aggregator is deployed in the Organization Management (root) account as enablement through Organizations is simpler to implement. AWS Organizations only supports deploying the Aggregator in the Organization Management (root) account and not in a designated administrative account at this time. Once supported, we plan to update the code to move the Aggregator administrative account.
 - An Organization CloudTrail is deployed, which is created in the primary region in the Organization Management (root) AWS account. All AWS account CloudTrails are centralized into this single CloudWatch Log Group. Starting in v1.1.9 this is where we deploy the CloudWatch Alarms which trigger for ALL accounts in the organization. Security Hub will erroneously report that the only account and/or region that is compliant with certain rules is the primary region of the Organization Management (root) account. We are working with the Security Hub team to rectify this situation in future Security Hub/Accelerator releases.
 - Amazon Detective - we have chosen not to enable at this time.
diff --git a/reference-artifacts/config.ALZ.json b/reference-artifacts/config.ALZ.json
@@ -90,8 +90,8 @@
         "resolver-vpc": "Endpoint",
         "region": "ca-central-1",
         "names": {
-          "public": ["dept.cloud-nuage.canada.ca"],
-          "private": ["dept.cloud-nuage.gc.ca"]
+          "public": ["cloud-hosted-publicdomain.example.ca"],
+          "private": ["cloud-hosted-privatedomain.example.ca"]
         }
       }
     ],
@@ -693,11 +693,11 @@
           },
           "on-premise-rules": [
             {
-              "zone": "dept-private.gc.ca",
+              "zone": "on-premise-privatedomain1.example.ca",
               "outbound-ips": ["10.254.254.1", "10.254.253.1"]
             },
             {
-              "zone": "private-domain1.example.ca",
+              "zone": "on-premise-privatedomain2.example.ca",
               "outbound-ips": ["10.254.254.1", "10.254.253.1"]
             }
           ]
diff --git a/reference-artifacts/config.example.json b/reference-artifacts/config.example.json
@@ -90,8 +90,8 @@
         "resolver-vpc": "Endpoint",
         "region": "ca-central-1",
         "names": {
-          "public": ["dept.cloud-nuage.canada.ca"],
-          "private": ["dept.cloud-nuage.gc.ca"]
+          "public": ["cloud-hosted-publicdomain.example.ca"],
+          "private": ["cloud-hosted-privatedomain.example.ca"]
         }
       }
     ],
@@ -688,11 +688,11 @@
           },
           "on-premise-rules": [
             {
-              "zone": "dept-private.gc.ca",
+              "zone": "on-premise-privatedomain1.example.ca",
               "outbound-ips": ["10.254.254.1", "10.254.253.1"]
             },
             {
-              "zone": "private-domain1.example.ca",
+              "zone": "on-premise-privatedomain2.example.ca",
               "outbound-ips": ["10.254.254.1", "10.254.253.1"]
             }
           ]
diff --git a/reference-artifacts/config.lite-example.json b/reference-artifacts/config.lite-example.json
@@ -90,8 +90,8 @@
         "resolver-vpc": "Endpoint",
         "region": "ca-central-1",
         "names": {
-          "public": ["dept.cloud-nuage.canada.ca"],
-          "private": ["dept.cloud-nuage.gc.ca"]
+          "public": ["cloud-hosted-publicdomain.example.ca"],
+          "private": ["cloud-hosted-privatedomain.example.ca"]
         }
       }
     ],
@@ -628,11 +628,11 @@
           },
           "on-premise-rules": [
             {
-              "zone": "dept-private.gc.ca",
+              "zone": "on-premise-privatedomain1.example.ca",
               "outbound-ips": ["10.254.254.1", "10.254.253.1"]
             },
             {
-              "zone": "private-domain1.example.ca",
+              "zone": "on-premise-privatedomain2.example.ca",
               "outbound-ips": ["10.254.254.1", "10.254.253.1"]
             }
           ]

Original file line number	Diff line number	Diff line change
`@@ -90,8 +90,8 @@`
`90`	`90`	`"resolver-vpc": "Endpoint",`
`91`	`91`	`"region": "ca-central-1",`
`92`	`92`	`"names": {`
`93`		`- "public": ["dept.cloud-nuage.canada.ca"],`
`94`		`- "private": ["dept.cloud-nuage.gc.ca"]`
	`93`	`+ "public": ["cloud-hosted-publicdomain.example.ca"],`
	`94`	`+ "private": ["cloud-hosted-privatedomain.example.ca"]`
`95`	`95`	`}`
`96`	`96`	`}`
`97`	`97`	`],`
`@@ -693,11 +693,11 @@`
`693`	`693`	`},`
`694`	`694`	`"on-premise-rules": [`
`695`	`695`	`{`
`696`		`- "zone": "dept-private.gc.ca",`
	`696`	`+ "zone": "on-premise-privatedomain1.example.ca",`
`697`	`697`	`"outbound-ips": ["10.254.254.1", "10.254.253.1"]`
`698`	`698`	`},`
`699`	`699`	`{`
`700`		`- "zone": "private-domain1.example.ca",`
	`700`	`+ "zone": "on-premise-privatedomain2.example.ca",`
`701`	`701`	`"outbound-ips": ["10.254.254.1", "10.254.253.1"]`
`702`	`702`	`}`
`703`	`703`	`]`