search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
30 stars 27 forks source link

Document landing-zone deletion via kpt live destroy landing-zone #209

Open obriensystems opened 1 year ago

obriensystems commented 1 year ago

sh changes in prep of adding delete to Arete shortly

As part of a CI/CD system the LZ deletion is part of the flow create-KCC cluster, kpt render, kpt delete, delete-KCC cluster A straight deletion of the KCC cluster without first deleting the resources will leave them up


michael@cloudshell:~/dev/pdt-oldev/obriensystems (kcc-lz-8597)$ kubectl get gcp | grep UpToDate 
accesscontextmanageraccesspolicy.accesscontextmanager.cnrm.cloud.google.com/orgaccesspolicy   85m   True    UpToDate   85m
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/commonaccesslevels        85m   True    UpToDate   85m
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/nonprodperimaccesslevel   85m   True    UpToDate   85m
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/prodaccesslevels          85m   True    UpToDate   85m
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet         85m   True    UpToDate   33m
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pr      85m   True    UpToDate   36m
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pu      85m   True    UpToDate   32m
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingress             85m   True    UpToDate   34m
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingress-pr          85m   True    UpToDate   36m
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingressp            85m   True    UpToDate   36m
computefirewall.compute.cnrm.cloud.google.com/computefirewall-sample-deny   85m   True    UpToDate   34m
computefirewall.compute.cnrm.cloud.google.com/prod-firewall-default-deny    85m   True    UpToDate   34m
computeroute.compute.cnrm.cloud.google.com/egress-internet-nonprod   85m   True    UpToDate   34m
computeroute.compute.cnrm.cloud.google.com/egress-internet-prod      85m   True    UpToDate   34m
computeprojectmetadata.compute.cnrm.cloud.google.com/nonprod-oslogin-meta   85m   True    UpToDate   35m
computesubnetwork.compute.cnrm.cloud.google.com/common-ha-perimeter-subnet   85m   True    UpToDate   35m
computesubnetwork.compute.cnrm.cloud.google.com/management                   85m   True    UpToDate   36m
computesubnetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc-subnet     85m   True    UpToDate   34m
computesubnetwork.compute.cnrm.cloud.google.com/priv-perimeter-subnet        85m   True    UpToDate   36m
computesubnetwork.compute.cnrm.cloud.google.com/prod-sharedvpc-subnet        85m   True    UpToDate   34m
computesubnetwork.compute.cnrm.cloud.google.com/public-perimeter-subnet      85m   True    UpToDate   36m
computesharedvpchostproject.compute.cnrm.cloud.google.com/computesharedvpchostproject-sample   85m   True    UpToDate   34m
computesharedvpchostproject.compute.cnrm.cloud.google.com/nonprod-shared-vpc-host              85m   True    UpToDate   34m
computenetwork.compute.cnrm.cloud.google.com/common-ha-perimeter     85m   True    UpToDate   14m
computenetwork.compute.cnrm.cloud.google.com/common-mgmt-perimeter   85m   True    UpToDate   7m26s
computenetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc       85m   True    UpToDate   2m39s
computenetwork.compute.cnrm.cloud.google.com/priv-perimeter          85m   True    UpToDate   3m24s
computenetwork.compute.cnrm.cloud.google.com/prod-sharedvpc          85m   True    UpToDate   34m
computenetwork.compute.cnrm.cloud.google.com/public-perimeter        85m   True    UpToDate   4m47s
iampartialpolicy.iam.cnrm.cloud.google.com/audit-sink-writer   85m   True    UpToDate   31m
iampartialpolicy.iam.cnrm.cloud.google.com/log-sink-writer     85m   True    UpToDate   35m
iamserviceaccount.iam.cnrm.cloud.google.com/billing-service-account   85m   True    UpToDate   56m
iampolicymember.iam.cnrm.cloud.google.com/audit-viewer          85m   True    UpToDate   84m
iampolicymember.iam.cnrm.cloud.google.com/billing-iam-member    85m   True    UpToDate   37m
iampolicymember.iam.cnrm.cloud.google.com/log-reader            85m   True    UpToDate   84m
iampolicymember.iam.cnrm.cloud.google.com/log-writer            85m   True    UpToDate   84m
iampolicymember.iam.cnrm.cloud.google.com/organization-viewer   85m   True    UpToDate   85m
logginglogsink.logging.cnrm.cloud.google.com/audit-bucket-sink   85m   True    UpToDate   32m
logginglogsink.logging.cnrm.cloud.google.com/logs-bucket-sink    85m   True    UpToDate   36m
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security                            85m   True    UpToDate   85m
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.audit                      85m   True    UpToDate   84m
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.security                   85m   True    UpToDate   84m
folder.resourcemanager.cnrm.cloud.google.com/automation                                    85m   True    UpToDate   85m
folder.resourcemanager.cnrm.cloud.google.com/infrastructure                                85m   True    UpToDate   85m
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking                     85m   True    UpToDate   84m
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.nonprodnetworking   85m   True    UpToDate   83m
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.prodnetworking      85m   True    UpToDate   83m
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.sharedinfrastructure           85m   True    UpToDate   84m
folder.resourcemanager.cnrm.cloud.google.com/sandbox                                       85m   True    UpToDate   85m
folder.resourcemanager.cnrm.cloud.google.com/shared-services                               85m   True    UpToDate   85m
folder.resourcemanager.cnrm.cloud.google.com/workloads                                     85m   True    UpToDate   85m
folder.resourcemanager.cnrm.cloud.google.com/workloads.dev                                 85m   True    UpToDate   82m
folder.resourcemanager.cnrm.cloud.google.com/workloads.prod                                85m   True    UpToDate   83m
folder.resourcemanager.cnrm.cloud.google.com/workloads.uat                                 85m   True    UpToDate   82m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/allowed-contact-domains                85m   True    UpToDate       56m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/allowed-policy-member-domain           85m   True    UpToDate       56m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-guest-attribute-access         85m   True    UpToDate       85m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-nested-virtualization          85m   True    UpToDate       85m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-serial-port-access             85m   True    UpToDate       85m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-serviceaccount-key-creation    85m   True    UpToDate       85m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-vpc-external-ipv6              85m   True    UpToDate       85m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/require-shielded-vm                    85m   True    UpToDate       85m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/require-trusted-images                 85m   True    UpToDate       56m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-loadbalancer-creation-types   85m   True    UpToDate       85m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-os-login                      85m   True    UpToDate       85m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-sql-public-ip                 85m   True    UpToDate       85m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vm-external-access            85m   True    UpToDate       85m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vpc-lien-removal              85m   True    UpToDate       85m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vpc-peering                   85m   True    UpToDate       56m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/skip-default-network-creation          85m   True    UpToDate       85m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/uniform-bucket-level-access            85m   True    UpToDate       85m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/vm-can-ip-forward                      85m   True    UpToDate       56m
project.resourcemanager.cnrm.cloud.google.com/audit-prj-id-oldv1           85m   True    UpToDate   38m
project.resourcemanager.cnrm.cloud.google.com/guardrails-project-oldv1     85m   True    UpToDate   38m
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-nonprod-oldv1   85m   True    UpToDate   37m
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-prod-oldv1      85m   True    UpToDate   37m
project.resourcemanager.cnrm.cloud.google.com/net-per-prj-common-oldv1     85m   True    UpToDate   38m
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-compute    85m   True    UpToDate   37m
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-logging    85m   True    UpToDate   57m
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-compute   85m   True    UpToDate   35m
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-dns       85m   True    UpToDate   35m
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-logging   85m   True    UpToDate   55m
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-compute      85m   True    UpToDate   35m
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-logging      85m   True    UpToDate   55m
storagebucket.storage.cnrm.cloud.google.com/audit-audit-prj-id-oldv1        85m   True    UpToDate   32m
storagebucket.storage.cnrm.cloud.google.com/log-bucket-audit-prj-id-oldv1   85m   True    UpToDate   36m
michael@cloudshell:~/dev/pdt-oldev/obriensystems (kcc-lz-8597)$

  kpt live destroy landing-zone

michael@cloudshell:~/dev/pdt-oldev/obriensystems (kcc-lz-8597)$  kpt live destroy landing-zone
delete phase started
constrainttemplate.templates.gatekeeper.sh/namingpolicy delete successful
constrainttemplate.templates.gatekeeper.sh/limitegresstraffic delete successful
constrainttemplate.templates.gatekeeper.sh/datalocation delete successful
constrainttemplate.templates.gatekeeper.sh/cloudmarketplaceconfig delete successful
storagebucket.storage.cnrm.cloud.google.com/log-bucket-audit-prj-id-oldv1 delete successful
storagebucket.storage.cnrm.cloud.google.com/audit-audit-prj-id-oldv1 delete successful
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-logging delete successful
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-compute delete successful
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-logging delete successful
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-dns delete successful
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-compute delete successful
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-logging delete successful
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-compute delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/vm-can-ip-forward delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/uniform-bucket-level-access delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-public-access-prevention delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/skip-default-network-creation delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vpc-peering delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vpc-lien-removal delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vm-external-access delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-sql-public-ip delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-resource-locations delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-os-login delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-loadbalancer-creation-types delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/require-trusted-images delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/require-shielded-vm delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-vpc-external-ipv6 delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-serviceaccount-key-creation delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-serial-port-access delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-nested-virtualization delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-guest-attribute-access delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/allowed-policy-member-domain delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/allowed-contact-domains delete successful
project.resourcemanager.cnrm.cloud.google.com/net-per-prj-common-oldv1 delete successful
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-prod-oldv1 delete successful
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-nonprod-oldv1 delete successful
project.resourcemanager.cnrm.cloud.google.com/guardrails-project-oldv1 delete successful
project.resourcemanager.cnrm.cloud.google.com/audit-prj-id-oldv1 delete successful
folder.resourcemanager.cnrm.cloud.google.com/workloads.uat delete successful
folder.resourcemanager.cnrm.cloud.google.com/workloads.prod delete successful
folder.resourcemanager.cnrm.cloud.google.com/workloads.dev delete successful
folder.resourcemanager.cnrm.cloud.google.com/workloads delete successful
folder.resourcemanager.cnrm.cloud.google.com/shared-services delete successful
folder.resourcemanager.cnrm.cloud.google.com/sandbox delete successful
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.sharedinfrastructure delete successful
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.prodnetworking delete successful
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.nonprodnetworking delete successful
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking delete successful
folder.resourcemanager.cnrm.cloud.google.com/infrastructure delete successful
folder.resourcemanager.cnrm.cloud.google.com/automation delete successful
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.security delete successful
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.audit delete successful
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security delete successful
logginglogsink.logging.cnrm.cloud.google.com/logs-bucket-sink delete successful
logginglogsink.logging.cnrm.cloud.google.com/audit-bucket-sink delete successful
iamserviceaccount.iam.cnrm.cloud.google.com/billing-service-account delete successful
iampolicymember.iam.cnrm.cloud.google.com/organization-viewer delete successful
iampolicymember.iam.cnrm.cloud.google.com/log-writer delete successful
iampolicymember.iam.cnrm.cloud.google.com/log-reader delete successful
iampolicymember.iam.cnrm.cloud.google.com/billing-iam-member delete successful
iampolicymember.iam.cnrm.cloud.google.com/audit-viewer delete successful
iampartialpolicy.iam.cnrm.cloud.google.com/log-sink-writer delete successful
iampartialpolicy.iam.cnrm.cloud.google.com/audit-sink-writer delete successful
computesubnetwork.compute.cnrm.cloud.google.com/public-perimeter-subnet delete successful
computesubnetwork.compute.cnrm.cloud.google.com/prod-sharedvpc-subnet delete successful
computesubnetwork.compute.cnrm.cloud.google.com/priv-perimeter-subnet delete successful
computesubnetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc-subnet delete successful
computesubnetwork.compute.cnrm.cloud.google.com/management delete successful
computesubnetwork.compute.cnrm.cloud.google.com/common-ha-perimeter-subnet delete successful
computesharedvpchostproject.compute.cnrm.cloud.google.com/nonprod-shared-vpc-host delete successful
computesharedvpchostproject.compute.cnrm.cloud.google.com/computesharedvpchostproject-sample delete successful
computeroute.compute.cnrm.cloud.google.com/egress-internet-prod delete successful
computeroute.compute.cnrm.cloud.google.com/egress-internet-nonprod delete successful
computeprojectmetadata.compute.cnrm.cloud.google.com/nonprod-oslogin-meta delete successful
computenetwork.compute.cnrm.cloud.google.com/public-perimeter delete successful
computenetwork.compute.cnrm.cloud.google.com/prod-sharedvpc delete successful
computenetwork.compute.cnrm.cloud.google.com/priv-perimeter delete successful
computenetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc delete successful
computenetwork.compute.cnrm.cloud.google.com/common-mgmt-perimeter delete successful
computenetwork.compute.cnrm.cloud.google.com/common-ha-perimeter delete successful
computefirewall.compute.cnrm.cloud.google.com/prod-firewall-default-deny delete successful
computefirewall.compute.cnrm.cloud.google.com/computefirewall-sample-deny delete successful
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingressp delete successful
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingress-pr delete successful
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingress delete successful
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pu delete successful
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pr delete successful
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet delete successful
accesscontextmanageraccesspolicy.accesscontextmanager.cnrm.cloud.google.com/orgaccesspolicy delete successful
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/prodaccesslevels delete successful
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/nonprodperimaccesslevel delete successful
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/commonaccesslevels delete successful
configmap/setters delete successful
delete phase finished
reconcile phase started
constrainttemplate.templates.gatekeeper.sh/namingpolicy reconcile successful
constrainttemplate.templates.gatekeeper.sh/limitegresstraffic reconcile successful
constrainttemplate.templates.gatekeeper.sh/datalocation reconcile successful
constrainttemplate.templates.gatekeeper.sh/cloudmarketplaceconfig reconcile successful
storagebucket.storage.cnrm.cloud.google.com/log-bucket-audit-prj-id-oldv1 reconcile successful
storagebucket.storage.cnrm.cloud.google.com/audit-audit-prj-id-oldv1 reconcile successful
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-logging reconcile pending
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-compute reconcile pending
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-logging reconcile pending
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-dns reconcile pending
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-compute reconcile pending
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-logging reconcile pending
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-compute reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/vm-can-ip-forward reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/uniform-bucket-level-access reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-public-access-prevention reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/skip-default-network-creation reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vpc-peering reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vpc-lien-removal reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-vm-external-access reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-sql-public-ip reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-resource-locations reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-os-login reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-loadbalancer-creation-types reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/require-trusted-images reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/require-shielded-vm reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-vpc-external-ipv6 reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-serviceaccount-key-creation reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-serial-port-access reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-nested-virtualization reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/disable-guest-attribute-access reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/allowed-policy-member-domain reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/allowed-contact-domains reconcile successful
project.resourcemanager.cnrm.cloud.google.com/net-per-prj-common-oldv1 reconcile pending
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-prod-oldv1 reconcile pending
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-nonprod-oldv1 reconcile pending
project.resourcemanager.cnrm.cloud.google.com/guardrails-project-oldv1 reconcile pending
project.resourcemanager.cnrm.cloud.google.com/audit-prj-id-oldv1 reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/workloads.uat reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/workloads.prod reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/workloads.dev reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/workloads reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/shared-services reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/sandbox reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.sharedinfrastructure reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.prodnetworking reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.nonprodnetworking reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/infrastructure reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/automation reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.security reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.audit reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security reconcile pending
logginglogsink.logging.cnrm.cloud.google.com/logs-bucket-sink reconcile pending
logginglogsink.logging.cnrm.cloud.google.com/audit-bucket-sink reconcile pending
iamserviceaccount.iam.cnrm.cloud.google.com/billing-service-account reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/organization-viewer reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/log-writer reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/log-reader reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/billing-iam-member reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/audit-viewer reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/log-sink-writer reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/audit-sink-writer reconcile successful
computesubnetwork.compute.cnrm.cloud.google.com/public-perimeter-subnet reconcile pending
computesubnetwork.compute.cnrm.cloud.google.com/prod-sharedvpc-subnet reconcile pending
computesubnetwork.compute.cnrm.cloud.google.com/priv-perimeter-subnet reconcile pending
computesubnetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc-subnet reconcile pending
computesubnetwork.compute.cnrm.cloud.google.com/management reconcile pending
computesubnetwork.compute.cnrm.cloud.google.com/common-ha-perimeter-subnet reconcile pending
computesharedvpchostproject.compute.cnrm.cloud.google.com/nonprod-shared-vpc-host reconcile pending
computesharedvpchostproject.compute.cnrm.cloud.google.com/computesharedvpchostproject-sample reconcile pending
computeroute.compute.cnrm.cloud.google.com/egress-internet-prod reconcile pending
computeroute.compute.cnrm.cloud.google.com/egress-internet-nonprod reconcile pending
computeprojectmetadata.compute.cnrm.cloud.google.com/nonprod-oslogin-meta reconcile pending
computenetwork.compute.cnrm.cloud.google.com/public-perimeter reconcile pending
computenetwork.compute.cnrm.cloud.google.com/prod-sharedvpc reconcile pending
computenetwork.compute.cnrm.cloud.google.com/priv-perimeter reconcile pending
computenetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc reconcile pending
computenetwork.compute.cnrm.cloud.google.com/common-mgmt-perimeter reconcile pending
computenetwork.compute.cnrm.cloud.google.com/common-ha-perimeter reconcile pending
computefirewall.compute.cnrm.cloud.google.com/prod-firewall-default-deny reconcile pending
computefirewall.compute.cnrm.cloud.google.com/computefirewall-sample-deny reconcile pending
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingressp reconcile pending
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingress-pr reconcile pending
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingress reconcile pending
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pu reconcile pending
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pr reconcile pending
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet reconcile pending
accesscontextmanageraccesspolicy.accesscontextmanager.cnrm.cloud.google.com/orgaccesspolicy reconcile pending
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/prodaccesslevels reconcile pending
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/nonprodperimaccesslevel reconcile pending
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/commonaccesslevels reconcile pending
configmap/setters reconcile pending
configmap/setters reconcile successful
project.resourcemanager.cnrm.cloud.google.com/net-per-prj-common-oldv1 reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/workloads.uat reconcile successful
logginglogsink.logging.cnrm.cloud.google.com/logs-bucket-sink reconcile successful
logginglogsink.logging.cnrm.cloud.google.com/audit-bucket-sink reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/billing-service-account reconcile successful
project.resourcemanager.cnrm.cloud.google.com/guardrails-project-oldv1 reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/workloads.prod reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/workloads.dev reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/organization-viewer reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/shared-services reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/log-writer reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/sandbox reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.sharedinfrastructure reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/automation reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.security reconcile successful
accesscontextmanageraccesspolicy.accesscontextmanager.cnrm.cloud.google.com/orgaccesspolicy reconcile successful
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/nonprodperimaccesslevel reconcile successful
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/commonaccesslevels reconcile successful
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/prodaccesslevels reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/workloads reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/billing-iam-member reconcile successful
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-logging reconcile successful
service.serviceusage.cnrm.cloud.google.com/prod-nethost-service-compute reconcile successful
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-compute reconcile successful
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-logging reconcile successful
service.serviceusage.cnrm.cloud.google.com/common-nethost-service-compute reconcile successful
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-logging reconcile successful
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-dns reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/audit-viewer reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/log-reader reconcile successful
computesubnetwork.compute.cnrm.cloud.google.com/priv-perimeter-subnet reconcile successful
computesubnetwork.compute.cnrm.cloud.google.com/public-perimeter-subnet reconcile successful
computesubnetwork.compute.cnrm.cloud.google.com/common-ha-perimeter-subnet reconcile successful
computenetwork.compute.cnrm.cloud.google.com/public-perimeter reconcile successful
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingressp reconcile successful
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pr reconcile successful

5 min wait state

computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet-pu reconcile successful
computesubnetwork.compute.cnrm.cloud.google.com/management reconcile successful
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingress-pr reconcile successful
computenetwork.compute.cnrm.cloud.google.com/common-ha-perimeter reconcile successful

3 min

computenetwork.compute.cnrm.cloud.google.com/common-mgmt-perimeter reconcile successful
computenetwork.compute.cnrm.cloud.google.com/priv-perimeter reconcile successful

15+ min.... waiting on 1 network deletion before 5 project deletions
obriensystems commented 1 year ago

cancel after 90 min - rerun on remaining

michael@cloudshell:~/dev/pdt-oldev/obriensystems (kcc-lz-8597)$ kpt live destroy landing-zone
delete phase started
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-prod-oldv1 delete successful
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-nonprod-oldv1 delete successful
project.resourcemanager.cnrm.cloud.google.com/audit-prj-id-oldv1 delete successful
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.prodnetworking delete successful
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.nonprodnetworking delete successful
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking delete successful
folder.resourcemanager.cnrm.cloud.google.com/infrastructure delete successful
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.audit delete successful
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security delete successful
computesubnetwork.compute.cnrm.cloud.google.com/prod-sharedvpc-subnet delete successful
computesubnetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc-subnet delete successful
computesharedvpchostproject.compute.cnrm.cloud.google.com/nonprod-shared-vpc-host delete successful
computesharedvpchostproject.compute.cnrm.cloud.google.com/computesharedvpchostproject-sample delete successful
computeroute.compute.cnrm.cloud.google.com/egress-internet-prod delete successful
computeroute.compute.cnrm.cloud.google.com/egress-internet-nonprod delete successful
computeprojectmetadata.compute.cnrm.cloud.google.com/nonprod-oslogin-meta delete successful
computenetwork.compute.cnrm.cloud.google.com/prod-sharedvpc delete successful
computenetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc delete successful
computefirewall.compute.cnrm.cloud.google.com/prod-firewall-default-deny delete successful
computefirewall.compute.cnrm.cloud.google.com/computefirewall-sample-deny delete successful
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingress delete successful
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet delete successful
delete phase finished
reconcile phase started
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-prod-oldv1 reconcile pending
project.resourcemanager.cnrm.cloud.google.com/net-host-prj-nonprod-oldv1 reconcile pending
project.resourcemanager.cnrm.cloud.google.com/audit-prj-id-oldv1 reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.prodnetworking reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.nonprodnetworking reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/infrastructure reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security.audit reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/audit-and-security reconcile pending
computesubnetwork.compute.cnrm.cloud.google.com/prod-sharedvpc-subnet reconcile pending
computesubnetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc-subnet reconcile pending
computesharedvpchostproject.compute.cnrm.cloud.google.com/nonprod-shared-vpc-host reconcile pending
computesharedvpchostproject.compute.cnrm.cloud.google.com/computesharedvpchostproject-sample reconcile pending
computeroute.compute.cnrm.cloud.google.com/egress-internet-prod reconcile pending
computeroute.compute.cnrm.cloud.google.com/egress-internet-nonprod reconcile pending
computeprojectmetadata.compute.cnrm.cloud.google.com/nonprod-oslogin-meta reconcile pending
computenetwork.compute.cnrm.cloud.google.com/prod-sharedvpc reconcile pending
computenetwork.compute.cnrm.cloud.google.com/nonprod-sharedvpc reconcile pending
computefirewall.compute.cnrm.cloud.google.com/prod-firewall-default-deny reconcile pending
computefirewall.compute.cnrm.cloud.google.com/computefirewall-sample-deny reconcile pending
computefirewall.compute.cnrm.cloud.google.com/allow-ssh-ingress reconcile pending
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet reconcile pending
fmichaelobrien commented 1 year ago

Removed lien on audit - expected storage bucket retrying michael@cloudshell:~/dev/pdt-oldev/obriensystems/pubsec-declarative-toolkit (audit-prj-id-oldv1)$ gcloud alpha resource-manager liens list NAME: p1013829665443-l3d6b1b03-5a1e-40ed-a7f5-6c28fbf7281e ORIGIN: storage.googleapis.com REASON: A lien is put on project deletion since Retention Policy was locked on a bucket. michael@cloudshell:~/dev/pdt-oldev/obriensystems/pubsec-declarative-toolkit (audit-prj-id-oldv1)$ gcloud alpha resource-manager liens delete p1013829665443-l3d6b1b03-5a1e-40ed-a7f5-6c28fbf7281e Deleted [liens/p1013829665443-l3d6b1b03-5a1e-40ed-a7f5-6c28fbf7281e].

fixed the audit folder - doing the others folder.resourcemanager.cnrm.cloud.google.com/audit-and-security reconcile successful

obriensystems commented 1 year ago

for separate lien removal - or via pre-disable before delete see #211

For example - before the kpt live destroy - lifecyle can reconcile - we need to pre-disable the project or delete the lien

michael@cloudshell:~/dev/pdt-oldev/obriensystems (audit-prj-id-oldv1)$ gcloud config set project net-host-prj-prod-oldv1
Updated property [core/project].
michael@cloudshell:~/dev/pdt-oldev/obriensystems (net-host-prj-prod-oldv1)$ gcloud alpha resource-manager liens list
NAME: p553611293232-lb8bec0d8-ed46-45c2-81fb-3dda344e6008
ORIGIN: xpn.googleapis.com
REASON: This lien is added to prevent the deletion of this shared VPC host project. The host project should be disabled before it is deleted.
michael@cloudshell:~/dev/pdt-oldev/obriensystems (net-host-prj-prod-oldv1)$ gcloud alpha resource-manager liens delete  p553611293232-lb8bec0d8-ed46-45c2-81fb-3dda344e6008
Deleted [liens/p553611293232-lb8bec0d8-ed46-45c2-81fb-3dda344e6008].
michael@cloudshell:~/dev/pdt-oldev/obriensystems (net-host-prj-prod-oldv1)$

michael@cloudshell:~/dev/pdt-oldev/obriensystems (net-host-prj-prod-oldv1)$ kpt live destroy landing-zone
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.prodnetworking reconcile successful
fmichaelobrien commented 1 year ago

the following lien removals allow the LZ delete to finish (or disable the projects before)

  gcloud config set project audit-prj-id-oldv1
  AUDIT_LIEN=$(gcloud alpha resource-manager liens list)
  gcloud alpha resource-manager liens delete $AUDIT_LIEN
  gcloud config set project net-host-prj-prod-oldv1
  gcloud config set project net-host-prj-nonprod-oldv1

results

folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking reconcile successful
delete result: 10 attempted, 10 successful, 0 skipped, 0 failed
reconcile result: 10 attempted, 10 successful, 0 skipped, 0 failed, 0 timed out
michael@cloudshell:~/dev/pdt-oldev/obriensystems (net-host-prj-nonprod-oldv1)$
obriensystems commented 1 year ago

recycling cluster to deploy lz2 2nd kpt live destroy landing-zone

Switching to KCC project kcc-lz-8597
Updated property [core/project].
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-pdt-pdtoldev.
Context "gke_kcc-lz-8597_northamerica-northeast1_krmapihost-pdt-pdtoldev" modified.
Active namespace is "config-control".
Deleting
delete phase started
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-logging delete successful
delete phase finished
reconcile phase started
service.serviceusage.cnrm.cloud.google.com/nonprod-nethost-service-logging reconcile pending