Backport secure VPC default SG change

helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta1/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml

@@ -397,6 +397,9 @@
                     cidrBlock:
                       description: CidrBlock is the CIDR block to be used when the provider creates a managed VPC. Defaults to 10.0.0.0/16. Mutually exclusive with IPAMPool.
                       type: string
+                    emptyRoutesDefaultVPCSecurityGroup:
+                      description: "EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress and egress rules should be removed. \n By default, when creating a VPC, AWS creates a security group called `default` with ingress and egress rules that allow traffic from anywhere. The group could be used as a potential surface attack and it's generally suggested that the group rules are removed or modified appropriately. \n NOTE: This only applies when the VPC is managed by the Cluster API AWS controller."
+                      type: boolean
                     id:
                       description: ID is the vpc-id of the VPC this provider should use to create resources.
                       type: string

helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta2/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml

@@ -393,6 +393,9 @@
                     cidrBlock:
                       description: CidrBlock is the CIDR block to be used when the provider creates a managed VPC. Defaults to 10.0.0.0/16. Mutually exclusive with IPAMPool.
                       type: string
+                    emptyRoutesDefaultVPCSecurityGroup:
+                      description: "EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress and egress rules should be removed. \n By default, when creating a VPC, AWS creates a security group called `default` with ingress and egress rules that allow traffic from anywhere. The group could be used as a potential surface attack and it's generally suggested that the group rules are removed or modified appropriately. \n NOTE: This only applies when the VPC is managed by the Cluster API AWS controller."
+                      type: boolean
                     id:
                       description: ID is the vpc-id of the VPC this provider should use to create resources.
                       type: string

helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusters.infrastructure.cluster.x-k8s.io.yaml

@@ -381,6 +381,9 @@
                     cidrBlock:
                       description: CidrBlock is the CIDR block to be used when the provider creates a managed VPC. Defaults to 10.0.0.0/16. Mutually exclusive with IPAMPool.
                       type: string
+                    emptyRoutesDefaultVPCSecurityGroup:
+                      description: "EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress and egress rules should be removed. \n By default, when creating a VPC, AWS creates a security group called `default` with ingress and egress rules that allow traffic from anywhere. The group could be used as a potential surface attack and it's generally suggested that the group rules are removed or modified appropriately. \n NOTE: This only applies when the VPC is managed by the Cluster API AWS controller."
+                      type: boolean
                     id:
                       description: ID is the vpc-id of the VPC this provider should use to create resources.
                       type: string

helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml

@@ -400,6 +400,9 @@
                             cidrBlock:
                               description: CidrBlock is the CIDR block to be used when the provider creates a managed VPC. Defaults to 10.0.0.0/16. Mutually exclusive with IPAMPool.
                               type: string
+                            emptyRoutesDefaultVPCSecurityGroup:
+                              description: "EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress and egress rules should be removed. \n By default, when creating a VPC, AWS creates a security group called `default` with ingress and egress rules that allow traffic from anywhere. The group could be used as a potential surface attack and it's generally suggested that the group rules are removed or modified appropriately. \n NOTE: This only applies when the VPC is managed by the Cluster API AWS controller."
+                              type: boolean
                             id:
                               description: ID is the vpc-id of the VPC this provider should use to create resources.
                               type: string

helm/cluster-api-provider-aws/values.yaml

@@ -3,7 +3,7 @@ name: cluster-api-provider-aws
 # needed. Please read https://github.com/giantswarm/cluster-api-provider-aws/blob/main/README.md on how to create a
 # release. Please include the short commit SHA in the tag name, such as `v2.0.2-gs-123abcd`. After changing this
 # tag, please run `make generate` to update CRDs and other manifests.
-tag: v2.3.0-gs-ba007f823  # upstream v2.3.0 + backported features/fixes (https://github.com/giantswarm/cluster-api-provider-aws/pull/576) + more backports (https://github.com/giantswarm/cluster-api-provider-aws/pull/580) + https://github.com/giantswarm/cluster-api-provider-aws/pull/582
+tag: v2.3.0-gs-13a6101cc  # upstream v2.3.0 + backported features/fixes (https://github.com/giantswarm/cluster-api-provider-aws/pull/576) + more backports (https://github.com/giantswarm/cluster-api-provider-aws/pull/580 + https://github.com/giantswarm/cluster-api-provider-aws/pull/582 + https://github.com/giantswarm/cluster-api-provider-aws/pull/583)
 
 infrastructure:
   image: