[feat] Add VPCE tags

.github/workflows/security_audit.yml

@@ -0,0 +1,21 @@
+name: Security audit
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  push:
+    paths: 
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+jobs:
+  security_audit:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'aws-samples'
+    permissions:
+      issues: write
+      checks: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998  # v2.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

deploy.sh

@@ -23,8 +23,8 @@ fi
 
 printf "\n#################################################################################"
 printf "\n## Please ensure the IAM principal (IAM User or Role) you are using to execute ##"
-printf "\n## this installation script includes a \"network-perimeter-exception\" tag key   ##"
-printf "\n## with a tag value of \"true\" or the installation will fail.                   ##"
+printf "\n## this installation script includes a \"dp:exclude:network\" tag key with a     ##"
+printf "\n## tag value of \"true\" or the installation will fail.                          ##"
 printf "\n#################################################################################\n\n"
 
 STACK_PREFIX=nitro-vault

vault_template.yml

@@ -624,7 +624,8 @@ Resources:
             Min: 8192
           VCpuCount:
             Min: 8
-        ImageId: "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64}}"
+        #ImageId: "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-6.12-x86_64}}"
+        ImageId: ami-090e72bf33b5af2ec  # al2023-ami-minimal-2023.6.20250317.2-kernel-6.1-x86_64
         MetadataOptions:
           HttpEndpoint: enabled
           HttpPutResponseHopLimit: 1
@@ -718,12 +719,20 @@ Resources:
           - AlarmNotification
           - ScheduledActions
     Properties:
+      AvailabilityZoneDistribution:
+        CapacityDistributionStrategy: balanced-only
+      AvailabilityZoneImpairmentPolicy:
+        ImpairedZoneHealthCheckBehavior: IgnoreUnhealthy
+        ZonalShiftEnabled: true
       CapacityRebalance: true
       Cooldown: 0  # zero seconds
       DefaultInstanceWarmup: 10  # seconds
       DesiredCapacity: 1
       HealthCheckType: ELB
       HealthCheckGracePeriod: 10  # seconds
+      InstanceMaintenancePolicy:
+        MaxHealthyPercentage: 200
+        MinHealthyPercentage: 100
       MaxInstanceLifetime: 86400  # recycle instances every day (in seconds)
       MaxSize: 2
       MinSize: 1
@@ -738,11 +747,12 @@ Resources:
             LaunchTemplateId: !Ref rLaunchTemplate
             Version: !GetAtt rLaunchTemplate.LatestVersionNumber
       NewInstancesProtectedFromScaleIn: false
+      SkipZonalShiftValidation: true
       TargetGroupARNs:
         - !Ref rTargetGroup
       TerminationPolicies:
         - OldestInstance
-        - OldestLaunchConfiguration
+        - OldestLaunchTemplate
       VPCZoneIdentifier: !Ref pSubnetIds
 
   rLoadBalancer:
@@ -753,12 +763,15 @@ Resources:
           - id: W52
             reason: "Ignoring access logging"
     Properties:
+      EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic: "off"
       IpAddressType: ipv4
       LoadBalancerAttributes:
         - Key: load_balancing.cross_zone.enabled
           Value: "false"
         - Key: dns_record.client_routing_policy
           Value: availability_zone_affinity
+        - Key: zonal_shift.config.enabled
+          Value: "true"
       Scheme: internal
       SecurityGroups:
         - !Ref rLoadBalancerSecurityGroup

vpc_template.yml

@@ -249,6 +249,17 @@ Resources:
         - !Ref rPrivateRouteTable3  # EC2 Route Table
         - !Ref rPrivateRouteTable4  # EC2 Route Table
       ServiceName: !Sub "com.amazonaws.${AWS::Region}.s3"
+      Tags:
+        - Key: Name
+          Value: !Sub "${pResourcePrefix}-vpce-s3"
+        - Key: "aws-cloudformation:stack-name"
+          Value: !Ref "AWS::StackName"
+        - Key: "aws-cloudformation:stack-id"
+          Value: !Ref "AWS::StackId"
+        - Key: "aws-cloudformation:logical-id"
+          Value: rVpcEndpointS3
+        - Key: AppManagerCFNStackKey
+          Value: !Ref "AWS::StackName"
       VpcEndpointType: Gateway
       VpcId: !Ref rVpc
 
@@ -271,6 +282,17 @@ Resources:
         - !Ref rPrivateRouteTable1  # Lambda Route Table
         - !Ref rPrivateRouteTable2  # Lambda Route Table
       ServiceName: !Sub "com.amazonaws.${AWS::Region}.dynamodb"
+      Tags:
+        - Key: Name
+          Value: !Sub "${pResourcePrefix}-vpce-dynamodb"
+        - Key: "aws-cloudformation:stack-name"
+          Value: !Ref "AWS::StackName"
+        - Key: "aws-cloudformation:stack-id"
+          Value: !Ref "AWS::StackId"
+        - Key: "aws-cloudformation:logical-id"
+          Value: rVpcEndpointDynamoDB
+        - Key: AppManagerCFNStackKey
+          Value: !Ref "AWS::StackName"
       VpcEndpointType: Gateway
       VpcId: !Ref rVpc
 
@@ -302,6 +324,17 @@ Resources:
       SubnetIds:
         - !Ref rPrivateSubnet1  # Lambda Subnet AZ1
         - !Ref rPrivateSubnet2  # Lambda Subnet AZ2
+      Tags:
+        - Key: Name
+          Value: !Sub "${pResourcePrefix}-vpce-kms"
+        - Key: "aws-cloudformation:stack-name"
+          Value: !Ref "AWS::StackName"
+        - Key: "aws-cloudformation:stack-id"
+          Value: !Ref "AWS::StackId"
+        - Key: "aws-cloudformation:logical-id"
+          Value: rVpcEndpointKms
+        - Key: AppManagerCFNStackKey
+          Value: !Ref "AWS::StackName"
       VpcEndpointType: Interface
       VpcId: !Ref rVpc
 
@@ -331,6 +364,17 @@ Resources:
       SubnetIds:
         - !Ref rPrivateSubnet3  # EC2 Subnet AZ1
         - !Ref rPrivateSubnet4  # EC2 Subnet AZ2
+      Tags:
+        - Key: Name
+          Value: !Sub "${pResourcePrefix}-vpce-ssm"
+        - Key: "aws-cloudformation:stack-name"
+          Value: !Ref "AWS::StackName"
+        - Key: "aws-cloudformation:stack-id"
+          Value: !Ref "AWS::StackId"
+        - Key: "aws-cloudformation:logical-id"
+          Value: rVpcEndpointSsm
+        - Key: AppManagerCFNStackKey
+          Value: !Ref "AWS::StackName"
       VpcEndpointType: Interface
       VpcId: !Ref rVpc
 
@@ -360,6 +404,17 @@ Resources:
       SubnetIds:
         - !Ref rPrivateSubnet3  # EC2 Subnet AZ1
         - !Ref rPrivateSubnet4  # EC2 Subnet AZ2
+      Tags:
+        - Key: Name
+          Value: !Sub "${pResourcePrefix}-vpce-ssmmessages"
+        - Key: "aws-cloudformation:stack-name"
+          Value: !Ref "AWS::StackName"
+        - Key: "aws-cloudformation:stack-id"
+          Value: !Ref "AWS::StackId"
+        - Key: "aws-cloudformation:logical-id"
+          Value: rVpcEndpointSsmMessages
+        - Key: AppManagerCFNStackKey
+          Value: !Ref "AWS::StackName"
       VpcEndpointType: Interface
       VpcId: !Ref rVpc
 
@@ -389,6 +444,17 @@ Resources:
       SubnetIds:
         - !Ref rPrivateSubnet3  # EC2 Subnet AZ1
         - !Ref rPrivateSubnet4  # EC2 Subnet AZ2
+      Tags:
+        - Key: Name
+          Value: !Sub "${pResourcePrefix}-vpce-ec2messages"
+        - Key: "aws-cloudformation:stack-name"
+          Value: !Ref "AWS::StackName"
+        - Key: "aws-cloudformation:stack-id"
+          Value: !Ref "AWS::StackId"
+        - Key: "aws-cloudformation:logical-id"
+          Value: rVpcEndpointEc2Messages
+        - Key: AppManagerCFNStackKey
+          Value: !Ref "AWS::StackName"
       VpcEndpointType: Interface
       VpcId: !Ref rVpc
 
@@ -416,6 +482,17 @@ Resources:
       SubnetIds:
         - !Ref rPrivateSubnet3  # EC2 Subnet AZ1
         - !Ref rPrivateSubnet4  # EC2 Subnet AZ2
+      Tags:
+        - Key: Name
+          Value: !Sub "${pResourcePrefix}-vpce-cloudformation"
+        - Key: "aws-cloudformation:stack-name"
+          Value: !Ref "AWS::StackName"
+        - Key: "aws-cloudformation:stack-id"
+          Value: !Ref "AWS::StackId"
+        - Key: "aws-cloudformation:logical-id"
+          Value: rVpcEndpointCloudFormation
+        - Key: AppManagerCFNStackKey
+          Value: !Ref "AWS::StackName"
       VpcEndpointType: Interface
       VpcId: !Ref rVpc