fix: tagging au-12 controls (#765)

This adds AU-12 security controls to resources that has logging enabled.

---------

Co-authored-by: alaincormier-ssc <94859304+alaincormier-ssc@users.noreply.github.com>

examples/landing-zone-v2/configconnector/tier3/external-load-balancer/backend-service.yaml

@@ -14,6 +14,7 @@
 #########
 # create the backend service to attach to an existing mig and cloud armor policy
 # also configure CDN defaults
+# AU-12 - Enable Logging for External load balancer backend service
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeBackendService
 metadata:
@@ -48,6 +49,7 @@ spec:
   loadBalancingScheme: EXTERNAL_MANAGED
   localityLbPolicy: ROUND_ROBIN
   location: global
+  # AU-12
   logConfig:
     enable: true
     sampleRate: 1

examples/landing-zone-v2/configconnector/tier3/external-load-balancer/firewall.yaml

@@ -13,6 +13,7 @@
 # limitations under the License.
 #########
 # fw rule for lb health check
+# AU-12 - Enable Logging for firewall
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewall
 metadata:
@@ -34,5 +35,6 @@ spec:
   targetServiceAccounts:
     - name: workload-name-sa # kpt-set: ${workload-name}-sa
       namespace: project-id-tier4 # kpt-set: ${project-id}-tier4
+  # AU-12
   logConfig:
     metadata: "INCLUDE_ALL_METADATA"

examples/landing-zone-v2/configconnector/tier3/firewall-policy-rules/allow-egress-fqdns.yaml

@@ -14,6 +14,7 @@
 #########
 # example for egress with fqdns
 # edit field values as required
+# AU-12 - Enable Logging for firewall
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewallPolicyRule
 metadata:
@@ -23,6 +24,7 @@ spec:
   description: "allow access to example.com"
   direction: "EGRESS"
   disabled: false
+  # AU-12
   enableLogging: true
   firewallPolicyRef:
     name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol

examples/landing-zone-v2/configconnector/tier3/https-external-load-balancer/backend-service.yaml

@@ -14,6 +14,7 @@
 #########
 # create the backend service to attach to an existing mig and cloud armor policy
 # also configure CDN defaults
+# AU-12 - Enable Logging for https load balancer
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeBackendService
 metadata:
@@ -48,6 +49,7 @@ spec:
   loadBalancingScheme: EXTERNAL_MANAGED
   localityLbPolicy: ROUND_ROBIN
   location: global
+  # AU-12
   logConfig:
     enable: true
     sampleRate: 1

examples/landing-zone-v2/configconnector/tier3/https-external-load-balancer/firewall.yaml

@@ -13,6 +13,7 @@
 # limitations under the License.
 #########
 # fw rule for lb health check
+# AU-12 - Enable Logging for firewall
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewall
 metadata:
@@ -34,5 +35,6 @@ spec:
   targetServiceAccounts:
     - name: workload-name-sa # kpt-set: ${workload-name}-sa
       namespace: project-id-tier4 # kpt-set: ${project-id}-tier4
+  # AU-12
   logConfig:
     metadata: "INCLUDE_ALL_METADATA"

examples/landing-zone-v2/configconnector/tier3/remote-access-to-gce/firewall-iap.yaml

@@ -14,6 +14,7 @@
 #########
 # IAP to GCE workload service account
 # IAM permissions are also required
+# AU-12 - Enable Logging for firewall
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewall
 metadata:
@@ -34,5 +35,6 @@ spec:
   targetServiceAccounts:
     - name: workload-name-sa # kpt-set: ${workload-name}-sa
       namespace: project-id-tier4 # kpt-set: ${project-id}-tier4
+  # AU-12
   logConfig:
     metadata: "INCLUDE_ALL_METADATA"

solutions/client-landing-zone/README.md

@@ -91,8 +91,7 @@ This package has no sub-packages.
 | client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml                                                               | compute.cnrm.cloud.google.com/v1beta1         | ComputeSubnetwork                | host-project-id-nane2-standard-nonp-main-snet                                                | client-name-networking |
 | client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml                                                               | compute.cnrm.cloud.google.com/v1beta1         | ComputeSubnetwork                | host-project-id-nane2-standard-pbmm-main-snet                                                | client-name-networking |
 | client-folder/standard/applications-infrastructure/host-project/network/vpc.yaml                                                                  | compute.cnrm.cloud.google.com/v1beta1         | ComputeNetwork                   | host-project-id-global-standard-vpc                                                          | client-name-networking |
-| client-folder/standard/applications-infrastructure/host-project/org-policies/exceptions/compute-restrict-vpc-peering-except-host-project.yaml     | resourcemanager.cnrm.cloud.google.com/v1beta1 | ResourceManagerPolicy            | compute-restrict-vpc-peering-except-host-project-id                                          | policies               |
-| client-folder/standard/applications-infrastructure/host-project/org-policies/exceptions/gcp-resource-locations-except-host-project.yaml           | resourcemanager.cnrm.cloud.google.com/v1beta1 | ResourceManagerPolicy            | gcp-restrict-resource-locations-except-host-project-id                                       | policies               |
+| client-folder/standard/applications-infrastructure/host-project/org-policies/exceptions/compute-restrict-cloud-nat-usage-except-host-project.yaml | resourcemanager.cnrm.cloud.google.com/v1beta1 | ResourceManagerPolicy            | compute-restrict-cloud-nat-usage-except-host-project-id                                      | policies               |
 | client-folder/standard/applications-infrastructure/host-project/project.yaml                                                                      | resourcemanager.cnrm.cloud.google.com/v1beta1 | Project                          | host-project-id                                                                              | client-name-projects   |
 | client-folder/standard/applications-infrastructure/host-project/project.yaml                                                                      | compute.cnrm.cloud.google.com/v1beta1         | ComputeSharedVPCHostProject      | host-project-id-hostvpc                                                                      | client-name-networking |
 | client-folder/standard/applications-infrastructure/host-project/services.yaml                                                                     | serviceusage.cnrm.cloud.google.com/v1beta1    | Service                          | host-project-id-compute                                                                      | client-name-projects   |

solutions/client-landing-zone/client-folder/firewall-policy/rules/defaults.yaml

@@ -16,6 +16,7 @@
 #########
 # Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network
 # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
+# AU-12 - Enable Logging for firewall
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewallPolicyRule
 metadata:
@@ -83,6 +84,7 @@ spec:
   description: "Deny TOR exit nodes ingress traffic"
   direction: "INGRESS"
   disabled: false
+  # AU-12
   enableLogging: true
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   firewallPolicyRef:
@@ -111,6 +113,7 @@ spec:
   description: "Deny sanctioned countries ingress traffic"
   direction: "INGRESS"
   disabled: false
+  # AU-12
   enableLogging: true
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   firewallPolicyRef:

solutions/client-landing-zone/client-folder/firewall-policy/rules/os-updates.yaml

@@ -14,6 +14,7 @@
 #########
 # Allow os updates
 # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
+# AU-12 - Enable Logging for firewall
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewallPolicyRule
 metadata:
@@ -26,6 +27,7 @@ spec:
   description: "Allow os updates"
   direction: "EGRESS"
   disabled: false
+  # AU-12
   enableLogging: true
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   firewallPolicyRef:

solutions/client-landing-zone/client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml

@@ -16,6 +16,7 @@
 #########
 # Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network
 # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
+# AU-12 - Enable Logging for firewall policies
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewallPolicyRule
 metadata:
@@ -83,6 +84,7 @@ spec:
   description: "Deny known malicious IPs ingress traffic"
   direction: "INGRESS"
   disabled: false
+  # AU-12
   enableLogging: true
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   firewallPolicyRef:
@@ -110,6 +112,7 @@ spec:
   description: "Deny known malicious IPs egress traffic"
   direction: "EGRESS"
   disabled: false
+  # AU-12
   enableLogging: true
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   firewallPolicyRef:

solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/dnspolicy.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #########
-# Enable DNS logging
+# AU-12 - Enable Logging for DNS
 apiVersion: dns.cnrm.cloud.google.com/v1beta1
 kind: DNSPolicy
 metadata:
@@ -24,6 +24,7 @@ metadata:
 spec:
   resourceID: standard-logging-dnspolicy
   description: "Enable DNS logging"
+  # AU-12
   enableLogging: true
   networks:
     - networkRef:

solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml

@@ -14,6 +14,7 @@
 #########
 # Allow all egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network within host project
 # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
+# AU-12 - Enable Logging for firewall
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewall
 metadata:
@@ -36,6 +37,7 @@ spec:
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   networkRef:
     name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
+  # AU-12
   logConfig:
     metadata: "INCLUDE_ALL_METADATA"
 ---
@@ -63,6 +65,7 @@ spec:
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   networkRef:
     name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
+  # AU-12
   logConfig:
     metadata: "INCLUDE_ALL_METADATA"
 ---
@@ -90,5 +93,6 @@ spec:
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   networkRef:
     name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
+  # AU-12
   logConfig:
     metadata: "INCLUDE_ALL_METADATA"

solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/nat.yaml

@@ -13,6 +13,7 @@
 # limitations under the License.
 #########
 # Cloud NAT northamerica-northeast1
+# AU-12 - Enable Logging for Cloud NAT
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeRouterNAT
 metadata:
@@ -28,6 +29,7 @@ spec:
   routerRef:
     name: host-project-id-nane1-router # kpt-set: ${host-project-id}-nane1-router
   sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
+  # AU-12
   logConfig:
     enable: true
     filter: ALL
@@ -64,6 +66,7 @@ spec:
   routerRef:
     name: host-project-id-nane2-router # kpt-set: ${host-project-id}-nane2-router
   sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
+  # AU-12
   logConfig:
     enable: true
     filter: ALL

solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml

@@ -14,6 +14,7 @@
 #########
 # Egress allow traffic to Private Service Connect endpoint for Google API access
 # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
+# AU-12 - Enable Logging for firewall
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewall
 metadata:
@@ -34,5 +35,6 @@ spec:
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   networkRef:
     name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
+  # AU-12
   logConfig:
     metadata: "INCLUDE_ALL_METADATA"

solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/public-dns.yaml

@@ -14,6 +14,7 @@
 #########
 # Public Client DNS subzone
 # SC-22
+# AU-12 - Enable Logging for DNS Managed zone
 apiVersion: dns.cnrm.cloud.google.com/v1beta1
 kind: DNSManagedZone
 metadata:
@@ -29,6 +30,7 @@ spec:
   visibility: public
   dnssecConfig:
     state: "on"
+  # AU-12
   cloudLoggingConfig:
     enableLogging: true
 ---

solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml

@@ -18,6 +18,7 @@
 # - private google access enabled https://cloud.google.com/vpc/docs/private-google-access
 #########
 # Subnet nonp-main northamerica-northeast1
+# AU-12 - Enable Logging for Subnet
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
@@ -34,6 +35,7 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
+  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5
@@ -56,6 +58,7 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
+  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5
@@ -78,6 +81,7 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
+  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5
@@ -100,6 +104,7 @@ spec:
   privateIpGoogleAccess: true
   networkRef:
     name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
+  # AU-12
   logConfig:
     aggregationInterval: INTERVAL_5_SEC
     flowSampling: 0.5

solutions/client-landing-zone/client-folder/standard/firewall-policy/rules/network-isolation.yaml

@@ -14,6 +14,7 @@
 #########
 # Isolate non-protected subnet so it denies ingress traffic from pbmm subnet
 # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both.
+# AU-12 - Enable Logging for firewall
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewallPolicyRule
 metadata:
@@ -26,6 +27,7 @@ spec:
   description: "Isolate non-protected subnet so it denies ingress traffic from pbmm subnet"
   direction: "INGRESS"
   disabled: false
+  # AU-12
   enableLogging: true
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   firewallPolicyRef:
@@ -52,6 +54,7 @@ spec:
   description: "Isolate PBMM subnet so it denies ingress traffic from non-protected subnet"
   direction: "INGRESS"
   disabled: false
+  # AU-12
   enableLogging: true
   # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11)
   firewallPolicyRef:

solutions/client-landing-zone/securitycontrols.md

@@ -139,8 +139,37 @@
 |AC-4(21)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr|
 |AC-4(21)|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-pbmm-fwr|
 |AU-11|./setters.yaml|setters|
+|AU-12|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-sanctioned-countries-ingress-fwr|
+|AU-12|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-deny-tor-nodes-ingress-traffic-fwr|
+|AU-12|./client-folder/firewall-policy/rules/defaults.yaml|client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr|
+|AU-12|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr|
+|AU-12|./client-folder/firewall-policy/rules/os-updates.yaml|client-name-client-folder-fwpol-allow-os-updates-fwr|
 |AU-12|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink|
 |AU-12|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink|
+|AU-12|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-egress-fwr|
+|AU-12|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-deny-known-malicious-ip-ingress-fwr|
+|AU-12|./client-folder/standard/applications-infrastructure/firewall-policy/rules/defaults.yaml|client-name-standard-applications-infrastructure-fwpol-exclude-private-ip-ranges-egress-fwr|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/dnspolicy.yaml|host-project-id-standard-logging-dnspolicy|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/dnspolicy.yaml|host-project-id-standard-logging-dnspolicy|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-egress-deny-fwr|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-default-ingress-deny-fwr|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/firewall.yaml|host-project-id-standard-egress-allow-all-internal-fwr|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/nat.yaml|host-project-id-nane1-nat|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/nat.yaml|host-project-id-nane1-nat|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/nat.yaml|host-project-id-nane2-nat|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/psc/google-apis/firewall.yaml|host-project-id-standard-egress-allow-psc-fwr|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/public-dns.yaml|client-name-standard-public-dns|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/public-dns.yaml|client-name-standard-public-dns|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane1-standard-nonp-main-snet|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane1-standard-nonp-main-snet|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane1-standard-pbmm-main-snet|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane2-standard-nonp-main-snet|
+|AU-12|./client-folder/standard/applications-infrastructure/host-project/network/subnet.yaml|host-project-id-nane2-standard-pbmm-main-snet|
+|AU-12|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr|
+|AU-12|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-nonp-fwr|
+|AU-12|./client-folder/standard/firewall-policy/rules/network-isolation.yaml|client-name-standard-fwpol-isolate-pbmm-fwr|
 |AU-12|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket|
 |AU-12|./logging-project/cloud-logging-bucket.yaml|platform-and-component-client-name-log-bucket|
 |AU-12(1)|./client-folder/folder-sink.yaml|platform-and-component-log-client-name-log-sink|