[BUG][Config Validation] z141 - Some VPC removal protections dropped

[Brian969]

Short Problem Description

• while changes to a VPC configuration appear to still be blocked, one of my collegues removed (xx'd) out a VPC and the state machine allowed the change, executing and then failing when it could not remove the VPC
• ticket z002 (https://issues.amazon.com/issues/PBMM-83) was supposed to prevent this from happening along with other unsupported changes
• sometimes nacl changes are allowed sometimes blocked.
• we need to go back through and re-assess ALL blocks and make sure they are preventing all changes as originally intended
• we need to go back through and re-assess ALL "scoped overrides" and make sure they overide the check as intended
  • 'ov-global-options': false,
  • 'ov-del-accts': false,
  • 'ov-ren-accts': false,
  • 'ov-acct-email': false,
  • 'ov-acct-ou': false,
  • 'ov-acct-vpc': false,
  • 'ov-acct-subnet': false,
  • 'ov-tgw': false,
  • 'ov-mad': false,
  • 'ov-ou-vpc': false,
  • 'ov-ou-subnet': false,
  • 'ov-share-to-ou': false,
  • 'ov-share-to-accounts': false,
  • 'ov-nacl': false
• we need to add any new blocks required since we did z002.

Example

FYI - For the ADDITIONALLY/OVERIDES ISSUE - Proserve was doing a deployment today. They turned on az-d which fails due to nacl updates (expected), they then incremented the nacl id's by one i.e. 100 becomes 101, and the comparison blocks, blocked the change. They then set {"ov-nacl": true} and it still failed. but {"overrideComparison": true} succeeded. Just more evidence on the "SCOPED" overides not functioning properly. Error was: {\"errorType\":\"Error\",\"errorMessage\":\"There were errors while comparing the configuration changes:\nConfigCheck: blocked changing config path \\"organizational-units/Dev/vpc/0/subnets/3/nacls/1/rule\\"\nConfigCheck: blocked changing config path \\"organizational-units/Dev/vpc/0/subnets/3/nacls/0/rule\\"\",\"trace\":[\"Error: There were errors while comparing the configuration changes:\",\"ConfigCheck: blocked changing config path \\"organizational-units/Dev/vpc/0/subnets/3/nacls/1/rule\\"\",\"ConfigCheck: blocked changing config path \\"organizational-units/Dev/vpc/0/subnets/3/nacls/0/rule\\"\",\" at Runtime.Xn [as handler] (/var/task/index.js:329:271518)\",\" at processTicksAndRejections (internal/process/task_queues.js:97:5)\"]}

Expected Behavior

• Accelerator fails with "ConfigCheck: blocked changing..." error (and should NOT continue)
• As z002 was a long time ago, can we also take a quick review to make sure other blocks remain in place. Are their any additional new blocks we need to add?

Actual Behavior

• Accelerator does NOT block customer from making unsupported VPC removal change

[Brian969]

FYI: I was specifying the scoped overrides wrong and why they were not working - I was providing: {'ov-global-options': false} when this is the proper format: { "configOverrides": { 'ov-global-options': true } }

[Brian969]

VPC, subnet, CIDR protections fixed in v1.2.5, keeping open for further ongoing assessment.