Enable GovCloud and CN partitions (NOT COMPLETE)

[dacut]

This is a significant refactor, and it's not complete -- there's a bucket this refers to, and I'm not sure who owns it.

Walking through the changes:

• Reformatted the CFN templates so the indentation isn't misleading and made spacing consistent (used the dominant style: 2 space indents, no spaces on inline objects or arrays).
• Added an option for a custom AMI (Cisco doesn't publicly share the AMI id in GovCloud yet).
• Use Docker to build the transit-vpc-push-cisco-config Lambda function on Amazon Linux (so someone doesn't accidentally pick up Ubuntu or MacOS files).
• Rewrote hard-coded ARNs from arn:aws:... to arn:${AWS::Partition}:....
• Since the solutions-us-gov-west-1 bucket containing the solution-helper.zip file for the Lambda function doesn't exist, pointed GovCloud at my personal version for now. This needs to be fixed.

The incompleteness is the last step. We need to figure out who owns the solutions-regionname buckets on the commerical partitions and get this replicated up into GovCloud and CN.

[NathanTCz]

The current solution also does not create an ipsec or ikev2 profile using the stronger encryption required by GovCloud (dh group14 and sha2; see https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-vpc.html). The csr config function parses these options but does not add another profile using them. Instead the deployment/transit-vpc-primary-account.template creates a default isakmp policy 200 and ipsec profile ipsec-vpn-aws and uses this for all spoke connections. This will need to be fixed for connections from GovCloud VGWs to work properly.

[hvital]

Thanks for your contribution. This PR will be evaluated for the next version and we'll update to this thread once we have more information.