New Organization Day 0: walkthrough/automation example

[fmichaelobrien]

20231018: installing the projects/hub package in #446 recreation of lz from scratch in a new org - to verify script #611 deletion is in #593

20230714: to review

• https://github.com/ssc-spc-ccoe-cei/gcp-documentation/blob/main/Architecture/Repository%20Structure.md#hydration-process Short Sequence
• get a new org (kcc-kls) (cloudlift reserved for interconnect use case)
• start at https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md
• above points to https://github.com/ssc-spc-ccoe-cei/gcp-documentation
• issue to make it clearer where to start in gcp-documentation https://github.com/ssc-spc-ccoe-cei/gcp-documentation/issues/25
• if we start at the following for an unmanaged install - it also back references 2nd above https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md#organization for interleaved content
• https://github.com/ssc-spc-ccoe-cei/gcp-documentation/blob/main/Landing%20Zone%20Operations/Building.md
• run https://github.com/ssc-spc-ccoe-cei/gcp-tools/blob/main/scripts/bootstrap/setup-kcc.sh
• above deprecates https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/advanced-install.md
• review https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/onboarding-admin.md
• continue review of setup-kcc.sh https://github.com/ssc-spc-ccoe-cei/gcp-tools/issues/32

20230523: udpate

• kcc cluster up via https://github.com/ssc-spc-ccoe-cei/gcp-tools/issues/32 with secure boot disable and wait state on project creation

Issues pending

• DI1: add sleep(30) on project creation to avoid failure on VPC creation - see PR https://github.com/ssc-spc-ccoe-cei/gcp-tools/pull/38
• DI2: add options for org and billing id generation from current project
• DI3: add check on constraints/compute.requireShieldedVm - make sure it is off to avoid GKE creation failure (it is set by previous runs of the LZ) - see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/132
• moving back to main readme

• 20230503: update Adjust in place the following script in the gcp-tools repo https://github.com/ssc-spc-ccoe-cei/gcp-tools/blob/main/scripts/bootstrap/setup-kcc.sh https://github.com/ssc-spc-ccoe-cei/gcp-tools/issues/32

---

see https://github.com/ssc-spc-ccoe-cei/gcp-documentation/issues/12 see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/344

Older walk through https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/33

Work Items:

• migrate/retrofit script to landing-zone-v2 from https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/solutions/landing-zone/deployment.sh
• complete https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/landing-zone-v2/README.md#gke-autopilot---fully-managed-cluster use https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/docs/advanced-install.md#gke-autopilot---recommended

General Docs

• https://kustomize.io/

[obriensystems]

20230814: update for kpt deployment option https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/445#issuecomment-1669512029 https://cloud.google.com/architecture/managing-cloud-infrastructure-using-kpt

Onboarding:

• follow the 10 step Google Cloud Setup Checklist https://cloud.google.com/docs/enterprise/setup-checklist

• Start with a clean organization - in this case Cloud Identity based

• remove the "Project Creator" and "Billing Account Creator" IAM roles and move them to the super admin identity account https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/290

  

[obriensystems]

2nd environment: kcc.landing.systems

 gcloud config set project kcc-kls
 mkdir kcc-kls
 cd kcc-kls/

move deployment.sh from #192 and retrofit for v2

mkdir CloudLandingSystems
git clone https://github.com/CloudLandingZone/pubsec-declarative-toolkit.git
cd pubsec-declarative-toolkit/
cd solutions/
cd landing-zone-v2/
git checkout canary
cp ../landing-zone/deployment.sh .
cp ../landing-zone/vars.sh .
rm -rf ../landing-zone/deployment.sh
rm -rf ../landing-zone/vars.sh
git add deployment.sh
git add vars.sh
git add ../landing-zone/
git commit -m "#192 - move deployment sh to v2"
git push origin canary

current state before retrofit

root_@cloudshell:~/kcc-kls/pubsec-declarative-toolkit/solutions/landing-zone-v2 (kcc-kls)$ ./deployment.sh -b kcc-kls -u pdt -c true -l false -d false
Date: Tue 04 Apr 2023 11:28:32 PM UTC
Timestamp: 1680650912
running with: -b kcc-kls -u pdt -c true -l false -d false -p
Updated property [core/project].
Switched back to boot project kcc-kls
Start: 1680650913
unique string: pdt
REGION: northamerica-northeast1
NETWORK: pdt-pdt-vpc
SUBNET: pdt-pdt-sn
CLUSTER: pdt-pdt
Creating project: kcc-lz-7481
CC_PROJECT_ID:
BOOT_PROJECT_ID: kcc-kls
BILLING_ID: 015254-F59978-C1E833
ORG_ID: 156483884993
CrEATING KCC project: kcc-lz-7481
Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/kcc-lz-7481].
Waiting for [operations/cp.8430656173149901564] to finish...done.     
Enabling service [cloudapis.googleapis.com] on project [kcc-lz-7481]...
Operation "operations/acat.p2-1037027337829-e5d32d3d-6ce4-4dc1-9b99-86b899a95459" finished successfully.
Updated property [core/project] to [kcc-lz-7481].
Updated property [core/project].
billingAccountName: billingAccounts/015254-F59978-C1E833
billingEnabled: true
name: projects/kcc-lz-7481/billingInfo
projectId: kcc-lz-7481
Enabling APIs

Operation "operations/acf.p2-1037027337829-8a7587ef-a733-451e-8bbb-361d10c3bc54" finished successfully.
Operation "operations/acat.p2-1037027337829-fe235637-86da-4ef9-8159-ea8ee8136842" finished successfully.
Operation "operations/acat.p2-1037027337829-f6fe8440-ae04-4e1d-a1ea-ccd3d25afdfd" finished successfully.
Operation "operations/acat.p2-1037027337829-72211ce5-a45b-4e48-8767-31a58866b6fc" finished successfully.
Create VPC: pdt-pdt-vpc
Created [https://www.googleapis.com/compute/v1/projects/kcc-lz-7481/global/networks/pdt-pdt-vpc].
NAME: pdt-pdt-vpc
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network pdt-pdt-vpc --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network pdt-pdt-vpc --allow tcp:22,tcp:3389,icmp

Create subnet pdt-pdt-sn off VPC: pdt-pdt-vpc
Created [https://www.googleapis.com/compute/v1/projects/kcc-lz-7481/regions/northamerica-northeast1/subnetworks/pdt-pdt-sn].
NAME: pdt-pdt-sn
REGION: northamerica-northeast1
NETWORK: pdt-pdt-vpc
RANGE: 192.168.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
Creating Anthos KCC autopilot cluster pdt-pdt in region northamerica-northeast1 in subnet pdt-pdt-sn off VPC pdt-pdt-vpc
Create request issued for: [pdt-pdt]
Waiting for operation [projects/kcc-lz-7481/locations/northamerica-northeast1/operations/operation-1680651064090-5f88b11aa9f8f-7ba1d502-afe51dab] to complete...working.. 

Waiting for operation [projects/kcc-lz-7481/locations/northamerica-northeast1/operations/operation-1680651064090-5f88b11aa9f8f-7ba1d502-afe51dab] to complete...done.     
Created instance [pdt-pdt].
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-pdt-pdt.
Cluster create time: 923 sec
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-pdt-pdt.
Context "gke_kcc-lz-7481_northamerica-northeast1_krmapihost-pdt-pdt" modified.
Active namespace is "config-control".
List Clusters:
NAME: pdt-pdt
LOCATION: northamerica-northeast1
STATE: RUNNING
Total Duration: 1078 sec
Date: Tue 04 Apr 2023 11:46:31 PM UTC
Timestamp: 1680651991
Updated property [core/project].
Switched back to boot project kcc-kls

[obriensystems]

LZ V2 install - follow

• https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
• need link from above to
• https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/landing-zone-v2
• https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md
• follow documentation link
• https://github.com/ssc-spc-ccoe-cei/gcp-documentation
• determine which procedure to use to bootstrap a default landing zone
• the LZ operations link looks relevant https://github.com/ssc-spc-ccoe-cei/gcp-documentation/blob/main/Landing%20Zone%20Operations/Building.md#landing-zone-building
• place a PDT link to https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md below
• https://github.com/ssc-spc-ccoe-cei/gcp-documentation/blob/main/Landing%20Zone%20Operations/Building.md#3-deploy-the-infrastructure-using-either-kpt-or-gitops-git-or-gitops-oci

[obriensystems]

modifying https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md#initial-organization-configuration

root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ export REGION=northamerica-northeast1
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ export PROJECT_ID=kcc-kls
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ export NETWORK=vpc-pdt
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ export SUBNET=vpc-pdt-sn
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ echo $ORG_ID
156483884993
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ echo $PROJECT_ID
kcc-kls
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ gcloud alpha logging settings update --organization=$ORG_ID --storage-location=$REGION
name: organizations/156483884993/settings
storageLocation: northamerica-northeast1
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ export BILLING_ID=$(gcloud alpha billing projects describe $PROJECT_ID '--format=value(billingAccountName)' | sed 's/.*\///')
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ echo $BILLING_ID
015254-F59978-C....3
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ export GIT_USERNAME=obrien..
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ export TOKEN=ghp_le....
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ gcloud services enable accesscontextmanager.googleapis.com --project=${PROJECT_ID}
Operation "operations/acat.p2-42871636050-623e2e31-f014-48bd-8402-077a06f4bf3e" finished successfully.
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ gcloud access-context-manager policies list --organization=${ORG_ID}
Listed 0 items.
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ gcloud access-context-manager policies create \
      --organization=organizations/${ORG_ID} --title="My Policy"
ERROR: (gcloud.access-context-manager.policies.create) PERMISSION_DENIED: The caller does not have permission
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ export EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "user:${EMAIL}" --role roles/accesscontextmanager.policyAdmin

actually new kcc project must be created first
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ export BOOT_PROJECT_ID=$(gcloud config list --format 'value(core.project)')
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ export PROJECT_ID=$BOOT_PROJECT_ID-$CC_PROJECT_RAND
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ echo $PROJECT_ID

root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls)$ gcloud projects create $PROJECT_ID --set-as-default --organization=$ORG_ID
Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/kcc-kls-5018].
Waiting for [operations/cp.6520471906886052077] to finish...done.    
Enabling service [cloudapis.googleapis.com] on project [kcc-kls-5018]...
Operation "operations/acat.p2-674792587866-0ecca381-811f-4061-aaf2-b80edafaf9f7" finished successfully.
Updated property [core/project] to [kcc-kls-5018].
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls-5018)$ gcloud beta billing projects link $PROJECT_ID --billing-account $BILLING_ID
billingAccountName: billingAccounts/015254-F59978-C1...
billingEnabled: true
name: projects/kcc-kls-5018/billingInfo
projectId: kcc-kls-5018
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls-5018)$ gcloud config set project $PROJECT_ID
Updated property [core/project].
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls-5018)$ gcloud services enable krmapihosting.googleapis.com container.googleapis.com cloudresourcemanager.googleapis.com cloudbilling.googleapis.com serviceusage.googleapis.com servicedirectory.googleapis.com dns.googleapis.com

root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls-5018)$ gcloud compute networks create $NETWORK --subnet-mode=custom
Created [https://www.googleapis.com/compute/v1/projects/kcc-kls-5018/global/networks/vpc-pdt].
NAME: vpc-pdt
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network vpc-pdt --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network vpc-pdt --allow tcp:22,tcp:3389,icmp

root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls-5018)$ gcloud compute networks subnets create $SUBNET  \
    --network $NETWORK \
    --range 192.168.0.0/16 \
    --region $REGION \
    --stack-type=IPV4_ONLY \
    --enable-private-ip-google-access \
    --enable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-flow-sampling=1.0 --logging-metadata=include-all

Created [https://www.googleapis.com/compute/v1/projects/kcc-kls-5018/regions/northamerica-northeast1/subnetworks/vpc-pdt-sn].
NAME: vpc-pdt-sn
REGION: northamerica-northeast1
NETWORK: vpc-pdt
RANGE: 192.168.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:

oot_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls-5018)$ gcloud compute routers create kcc-router --project=$PROJECT_ID  --network=$NETWORK  --asn=64513 --region=$REGION
Creating router [kcc-router]...done.     
NAME: kcc-router
REGION: northamerica-northeast1
NETWORK: vpc-pdt
root_@cloudshell:~/kcc-kls/CloudLandingSystems/pubsec-declarative-toolkit (kcc-kls-5018)$ gcloud compute routers nats create kcc-router --router=kcc-router --region=$REGION --auto-allocate-nat-external-ips --nat-all-subnet-ip-ranges --enable-logging
Creating NAT [kcc-router] in router [kcc-router]...working.

at line 194 on kcc.landing.systems

[fmichaelobrien]

Align with ACM alignment across docs in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/349

[obriensystems]

402

remove alpha API from deployment.sh rerun

gcloud alpha logging settings update --organization=$ORG_ID --storage-location=$REGION
gcloud alpha anthos config controller create $CLUSTER --location $REGION --network $NETWORK --subnet $SUBNET --full-management
gcloud alpha resource-manager liens delete $PROD_LIEN

[fmichaelobrien]

returning from https://github.com/ssc-spc-ccoe-cei/gcp-tools/issues/32 CC cluster up - installing minimum LZ V2

follow https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/docs/landing-zone-v2#fetch-the-packages

admin_@cloudshell:~$ gcloud config set project pdt-arg-kcc11
admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ git clone https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git
admin_@cloudshell:~/pdt-arg/main/pubsec-declarative-toolkit/solutions (pdt-arg-kcc11)$ cd ../../../
admin_@cloudshell:~/pdt-arg (pdt-arg-kcc11)$ cd main
admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ 
admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/gatekeeper-policies@main
Package "gatekeeper-policies":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@main
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
 * branch            main       -> FETCH_HEAD
 + 7f5e9ec...4ec915c main       -> origin/main  (forced update)
Adding package "solutions/gatekeeper-policies".

Fetched 1 package(s).

admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/core-landing-zone@0.2.0
Package "core-landing-zone":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@0.2.0
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
 * tag               solutions/core-landing-zone/0.2.0 -> FETCH_HEAD
Adding package "solutions/core-landing-zone".

Fetched 1 package(s).

values.yaml

  org-id: "2260...4"
  lz-folder-id: 'pd...cc11'
  billing-id: "01A...82"

management-project-id: management-project-arg11
  management-project-number: "83...59"
  management-namespace: config-control
  #
  ##########################
  # Org Policies
  ##########################
  #
  # The following are Settings for some org policies
  #
  # a list of allowed trusted image projects, see YAML file for more info:
  # org/org-policies/compute-trusted-image-projects.yaml
  # this setting can be left as default or modified as required
  allowed-trusted-image-projects: |
    - "projects/cos-cloud"
  #
  # a list of allowed essential contact domains, see YAML file for more info:
  # org/org-policies/essentialcontacts-allowed-contact-domains.yaml
  # this setting MUST be changed
  allowed-contact-domains: |
    - "@fm...at.com"
  #
  # a list of directory customer IDs from which users can be added to IAM policies, see YAML file for more info:
  # org/org-policies/iam-allowed-policy-member-domains.yaml
  # this setting MUST be changed to include the GCP org's directory ID and any other directory containing users that will need IAM roles assigned
  allowed-policy-domain-members: |
    - "admin"
  #

  allowed-vpc-peering: |
    - "under:organizations/226...214"

  logging-project-id: logging-project-arg11
  security-log-bucket: security-log-bucket-arg11
  platform-and-component-log-bucket: platform-and-component-log-bucket-arg11

or do a reverse copy - already in gp
admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ vi core-landing-zone/.krmignore
add constraints.yaml
admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ cp core-landing-zone/.krmignore gatekeeper-policies/

admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$   kpt live init gatekeeper-policies --namespace config-control
initializing "resourcegroup.yaml" data (namespace: config-control)...success

admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ kpt fn render gatekeeper-policies
Package "gatekeeper-policies/guardrails": 
Package "gatekeeper-policies/naming-rules/project": 
[RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2"
[PASS] "gcr.io/kpt-fn/apply-setters:v0.2" in 1.9s
  Results:
    [info] spec.parameters.client_code: set field value to "^(aa|bb|cc)"
    [info] spec.parameters.env_code: set field value to "^(aa|bb|cc)d"

Package "gatekeeper-policies": 
Successfully executed 1 function(s) in 3 package(s).

dmin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ kpt live apply gatekeeper-policies --reconcile-timeout=2m --output=table
Error: 4 resource types could not be found in the cluster or as CRDs among the applied resources.

Resource types:
constraints.gatekeeper.sh/v1beta1, Kind=DataLocation
constraints.gatekeeper.sh/v1beta1, Kind=LimitEgressTraffic
constraints.gatekeeper.sh/v1beta1, Kind=CloudMarketPlaceConfig
constraints.gatekeeper.sh/v1beta1, Kind=NamingPolicyProject

checking yaml
This apiVersion and/or kind does not reference a schema known by Cloud Code. Please ensure you are using a valid apiVersion and kind.

skip constraints for now - this is normal as there is a .krmignore

kpt live apply core-landing-zone --reconcile-timeout=2m --output=table
admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ kpt live init core-landing-zone --namespace config-control
initializing "resourcegroup.yaml" data (namespace: config-control)...success
admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$  kpt fn render core-landing-zone
Package "core-landing-zone": 
[RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2"
[PASS] "gcr.io/kpt-fn/apply-setters:v0.2" in 500ms
  Results:
    [info] spec.folderRef.external: set field value to "pdt-arg-kcc11"
    [info] metadata.name: set field value to "security-log-bucket-arg11"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-arg11"
    [info] spec.projectRef.name: set field value to "logging-project-arg11"
    ...(203 line(s) truncated, use '--truncate-output=false' to disable)

Successfully executed 1 function(s) in 1 package(s).

            Namespace/hierarchy                       Successful    Current                 <None>                                    9s      Resource is current                     
            Namespace/logging                         Successful    Current                 <None>                                    9s      Resource is current                     
            Namespace/networking                      Successful    Current                 <None>                                    9s      Resource is current                     
            Namespace/policies                        Successful    Current                 <None>                                    9s      Resource is current                     
            Namespace/projects                        Successful    Current                 <None>                                    8s      Resource is current                     
config-con  IAMCustomRole/gke-firewall-admin          Successful    Failed                  Ready                                     8s      Update call failed: error fetching live 
config-con  IAMCustomRole/tier2-dnsrecord-admin       Successful    Failed                  Ready                                     7s      Update call failed: error fetching live 
config-con  IAMCustomRole/tier2-vpcpeering-admin      Successful    Failed                  Ready                                     7s      Update call failed: error fetching live 
config-con  IAMCustomRole/tier3-dnsrecord-admin       Successful    Failed                  Ready                                     7s      Update call failed: error fetching live 
config-con  IAMCustomRole/tier3-firewallrule-admin    Successful    Failed                  Ready                                     6s      Update call failed: error fetching live 
config-con  IAMCustomRole/tier3-vpcsc-admin           Successful    Failed                  Ready                                     6s      Update call failed: error fetching live 
config-con  IAMPartialPolicy/gatekeeper-admin-sa-wor  Successful    InProgress              Ready                                     6s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/hierarchy-sa-workload-i  Successful    InProgress              Ready                                     6s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/logging-sa-workload-ide  Successful    InProgress              Ready                                     6s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/networking-sa-workload-  Successful    InProgress              Ready                                     6s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/policies-sa-workload-id  Successful    InProgress              Ready                                     5s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/projects-sa-workload-id  Successful    InProgress              Ready                                     5s      reference IAMServiceAccount config-contr
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/config-control-sa-orgrol  Successful    Unknown                 <None>                                    5s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/gatekeeper-admin-sa-metr  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/hierarchy-sa-folderadmin  Successful    Failed                  Ready                                     4s      Update call failed: error fetching live 
config-con  IAMPolicyMember/logging-sa-bigqueryadmin  Successful    Failed                  Ready                                     4s      Update call failed: error fetching live 
config-con  IAMPolicyMember/logging-sa-logadmin-perm  Successful    Unknown                 <None>                                    4s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/networking-sa-dns-permis  Successful    Failed                  Ready                                     4s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-networkadm  Successful    Failed                  Ready                                     4s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-security-p  Successful    Failed                  Ready                                     4s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-service-co  Successful    Unknown                 <None>                                    3s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/networking-sa-servicedir  Successful    Failed                  Ready                                     3s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-xpnadmin-p  Successful    Unknown                 <None>                                    3s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/policies-sa-orgpolicyadm  Successful    Unknown                 <None>                                    3s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/projects-sa-billinguser-  Successful    Unknown                 <None>                                    3s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/projects-sa-projectcreat  Successful    Failed                  Ready                                     3s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-projectdelet  Successful    Failed                  Ready                                     2s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-projectiamad  Successful    Failed                  Ready                                     2s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-projectmover  Successful    Failed                  Ready                                     2s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-serviceusage  Successful    Failed                  Ready                                     2s      Update call failed: error fetching live 
config-con  IAMServiceAccount/gatekeeper-admin-sa     Successful    Failed                  Ready                                     2s      Update call failed: error applying desir
config-con  IAMServiceAccount/hierarchy-sa            Successful    Failed                  Ready                                     2s      Update call failed: error applying desir
config-con  IAMServiceAccount/logging-sa              Successful    Failed                  Ready                                     1s      Update call failed: error applying desir
config-con  IAMServiceAccount/networking-sa           Successful    Failed                  Ready                                     1s      Update call failed: error applying desir
config-con  IAMServiceAccount/policies-sa             Successful    Failed                  Ready                                     1s      Update call failed: error applying desir
config-con  IAMServiceAccount/projects-sa             Successful    Failed                  Ready                                     1s      Update call failed: error applying desir
config-con  Service/management-project-arg11-accessc  Successful    Unknown                 <None>                                    1s      status.ObservedGeneration not found     
config-con  Service/management-project-arg11-cloudbi  Successful    Unknown                 <None>                                    0s      status.ObservedGeneration not found     
config-con  Service/management-project-arg11-cloudre  Pending       Unknown                 -                                         -                                               
config-con  Service/management-project-arg11-service  Pending       Unknown                 -                                         -                                               
gatekeeper  ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    8s      status.healthy is true                  
hierarchy   ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-folders-resource-refer  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Pending       Unknown                 -                                         -                                               
hierarchy   Folder/audits                             Pending       Unknown                 -                                         -                                               
hierarchy   Folder/clients                            Pending       Unknown                 -                                         -                                               
hierarchy   Folder/services                           Pending       Unknown                 -                                         -                                               
hierarchy   Folder/services-infrastructure            Pending       Unknown                 -                                         -                                               
logging     ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
logging     LoggingLogBucket/platform-and-component-  Pending       Unknown                 -                                         -                                               
logging     LoggingLogBucket/security-log-bucket-arg  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/logging-project-arg11-sec  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/mgmt-project-cluster-disa  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/mgmt-project-cluster-plat  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/platform-and-component-se  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/platform-and-component-se  Pending       Unknown                 -                                         -                                               
logging     RoleBinding/allow-logging-resource-refer  Pending       Unknown                 -                                         -                                               
networking  ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
policies    ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-gu  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-ne  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-se  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-vp  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-require-os  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-require-sh  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-require-sh  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-restrict-l  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-restrict-s  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-restrict-v  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-skip-defau  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-trusted-im  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-vm-can-ip-  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-vm-externa  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/essentialcontacts-  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/gcp-restrict-resou  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/iam-allowed-policy  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/iam-disable-servic  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/sql-restrict-publi  Pending       Unknown                 -                                         -                                               
NAMESPACE   RESOURCE                                  ACTION        STATUS      RECONCILED  CONDITIONS                                AGE     MESSAGE                                 
            Namespace/hierarchy                       Successful    Current                 <None>                                    10s     Resource is current                     
            Namespace/logging                         Successful    Current                 <None>                                    10s     Resource is current                     
            Namespace/networking                      Successful    Current                 <None>                                    10s     Resource is current                     
            Namespace/policies                        Successful    Current                 <None>                                    10s     Resource is current                     
            Namespace/projects                        Successful    Current                 <None>                                    9s      Resource is current                     
config-con  IAMCustomRole/gke-firewall-admin          Successful    InProgress              Ready                                     9s      Update in progress                      
config-con  IAMCustomRole/tier2-dnsrecord-admin       Successful    InProgress              Ready                                     8s      Update in progress                      
config-con  IAMCustomRole/tier2-vpcpeering-admin      Successful    InProgress              Ready                                     8s      Update in progress                      
config-con  IAMCustomRole/tier3-dnsrecord-admin       Successful    InProgress              Ready                                     8s      Update in progress                      
config-con  IAMCustomRole/tier3-firewallrule-admin    Successful    Failed                  Ready                                     7s      Update call failed: error fetching live 
config-con  IAMCustomRole/tier3-vpcsc-admin           Successful    Failed                  Ready                                     7s      Update call failed: error fetching live 
config-con  IAMPartialPolicy/gatekeeper-admin-sa-wor  Successful    InProgress              Ready                                     7s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/hierarchy-sa-workload-i  Successful    InProgress              Ready                                     7s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/logging-sa-workload-ide  Successful    InProgress              Ready                                     7s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/networking-sa-workload-  Successful    InProgress              Ready                                     7s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/policies-sa-workload-id  Successful    InProgress              Ready                                     6s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/projects-sa-workload-id  Successful    InProgress              Ready                                     6s      reference IAMServiceAccount config-contr
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Failed                  Ready                                     6s      Update call failed: error fetching live 
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Failed                  Ready                                     6s      Update call failed: error fetching live 
config-con  IAMPolicyMember/config-control-sa-orgrol  Successful    Unknown                 <None>                                    6s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/gatekeeper-admin-sa-metr  Successful    Failed                  Ready                                     6s      Update call failed: error fetching live 
config-con  IAMPolicyMember/hierarchy-sa-folderadmin  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/logging-sa-bigqueryadmin  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/logging-sa-logadmin-perm  Successful    Unknown                 <None>                                    5s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/networking-sa-dns-permis  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-networkadm  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-security-p  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-service-co  Successful    Unknown                 <None>                                    4s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/networking-sa-servicedir  Successful    Failed                  Ready                                     4s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-xpnadmin-p  Successful    Unknown                 <None>                                    4s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/policies-sa-orgpolicyadm  Successful    Unknown                 <None>                                    4s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/projects-sa-billinguser-  Successful    Unknown                 <None>                                    4s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/projects-sa-projectcreat  Successful    Failed                  Ready                                     4s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-projectdelet  Successful    Failed                  Ready                                     3s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-projectiamad  Successful    Failed                  Ready                                     3s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-projectmover  Successful    Failed                  Ready                                     3s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-serviceusage  Successful    Failed                  Ready                                     3s      Update call failed: error fetching live 
config-con  IAMServiceAccount/gatekeeper-admin-sa     Successful    Failed                  Ready                                     3s      Update call failed: error applying desir
config-con  IAMServiceAccount/hierarchy-sa            Successful    Failed                  Ready                                     3s      Update call failed: error applying desir
config-con  IAMServiceAccount/logging-sa              Successful    Failed                  Ready                                     2s      Update call failed: error applying desir
config-con  IAMServiceAccount/networking-sa           Successful    Failed                  Ready                                     2s      Update call failed: error applying desir
config-con  IAMServiceAccount/policies-sa             Successful    Failed                  Ready                                     2s      Update call failed: error applying desir
config-con  IAMServiceAccount/projects-sa             Successful    Failed                  Ready                                     2s      Update call failed: error applying desir
config-con  Service/management-project-arg11-accessc  Successful    Unknown                 <None>                                    2s      status.ObservedGeneration not found     
config-con  Service/management-project-arg11-cloudbi  Successful    Unknown                 <None>                                    1s      status.ObservedGeneration not found     
config-con  Service/management-project-arg11-cloudre  Successful    Unknown                 <None>                                    1s      status.ObservedGeneration not found     
config-con  Service/management-project-arg11-service  Successful    Unknown                 <None>                                    1s      status.ObservedGeneration not found     
gatekeeper  ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    9s      status.healthy is true                  
hierarchy   ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-folders-resource-refer  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Pending       Unknown                 -                                         -                                               
hierarchy   Folder/audits                             Pending       Unknown                 -                                         -                                               
hierarchy   Folder/clients                            Pending       Unknown                 -                                         -                                               
hierarchy   Folder/services                           Pending       Unknown                 -                                         -                                               
hierarchy   Folder/services-infrastructure            Pending       Unknown                 -                                         -                                               
logging     ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
logging     LoggingLogBucket/platform-and-component-  Pending       Unknown                 -                                         -                                               
logging     LoggingLogBucket/security-log-bucket-arg  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/logging-project-arg11-sec  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/mgmt-project-cluster-disa  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/mgmt-project-cluster-plat  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/platform-and-component-se  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/platform-and-component-se  Pending       Unknown                 -                                         -                                               
logging     RoleBinding/allow-logging-resource-refer  Pending       Unknown                 -                                         -                                               
networking  ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
policies    ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-gu  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-ne  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-se  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-vp  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-require-os  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-require-sh  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-require-sh  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-restrict-l  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-restrict-s  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-restrict-v  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-skip-defau  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-trusted-im  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-vm-can-ip-  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-vm-externa  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/essentialcontacts-  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/gcp-restrict-resou  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/iam-allowed-policy  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/iam-disable-servic  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/sql-restrict-publi  Pending       Unknown                 -                                         -                                               
NAMESPACE   RESOURCE                                  ACTION        STATUS      RECONCILED  CONDITIONS                                AGE     MESSAGE                                 
            Namespace/hierarchy                       Successful    Current                 <None>                                    10s     Resource is current                     
            Namespace/logging                         Successful    Current                 <None>                                    10s     Resource is current                     
            Namespace/networking                      Successful    Current                 <None>                                    10s     Resource is current                     
            Namespace/policies                        Successful    Current                 <None>                                    10s     Resource is current                     
            Namespace/projects                        Successful    Current                 <None>                                    9s      Resource is current                     
config-con  IAMCustomRole/gke-firewall-admin          Successful    InProgress              Ready                                     9s      Update in progress                      
config-con  IAMCustomRole/tier2-dnsrecord-admin       Successful    InProgress              Ready                                     8s      Update in progress                      
config-con  IAMCustomRole/tier2-vpcpeering-admin      Successful    InProgress              Ready                                     8s      Update in progress                      
config-con  IAMCustomRole/tier3-dnsrecord-admin       Successful    InProgress              Ready                                     8s      Update in progress                      
config-con  IAMCustomRole/tier3-firewallrule-admin    Successful    InProgress              Ready                                     7s      Update in progress                      
config-con  IAMCustomRole/tier3-vpcsc-admin           Successful    InProgress              Ready                                     7s      Update in progress                      
config-con  IAMPartialPolicy/gatekeeper-admin-sa-wor  Successful    InProgress              Ready                                     7s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/hierarchy-sa-workload-i  Successful    InProgress              Ready                                     7s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/logging-sa-workload-ide  Successful    InProgress              Ready                                     7s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/networking-sa-workload-  Successful    InProgress              Ready                                     7s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/policies-sa-workload-id  Successful    InProgress              Ready                                     6s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/projects-sa-workload-id  Successful    InProgress              Ready                                     6s      reference IAMServiceAccount config-contr
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Failed                  Ready                                     6s      Update call failed: error fetching live 
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Failed                  Ready                                     6s      Update call failed: error fetching live 
config-con  IAMPolicyMember/config-control-sa-orgrol  Successful    Unknown                 <None>                                    6s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/gatekeeper-admin-sa-metr  Successful    Failed                  Ready                                     6s      Update call failed: error fetching live 
config-con  IAMPolicyMember/hierarchy-sa-folderadmin  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/logging-sa-bigqueryadmin  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/logging-sa-logadmin-perm  Successful    Unknown                 <None>                                    5s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/networking-sa-dns-permis  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-networkadm  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-security-p  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-service-co  Successful    Unknown                 <None>                                    4s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/networking-sa-servicedir  Successful    Failed                  Ready                                     4s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-xpnadmin-p  Successful    Unknown                 <None>                                    4s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/policies-sa-orgpolicyadm  Successful    Unknown                 <None>                                    4s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/projects-sa-billinguser-  Successful    Unknown                 <None>                                    4s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/projects-sa-projectcreat  Successful    Failed                  Ready                                     4s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-projectdelet  Successful    Failed                  Ready                                     3s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-projectiamad  Successful    Failed                  Ready                                     3s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-projectmover  Successful    Failed                  Ready                                     3s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-serviceusage  Successful    Failed                  Ready                                     3s      Update call failed: error fetching live 
config-con  IAMServiceAccount/gatekeeper-admin-sa     Successful    Failed                  Ready                                     3s      Update call failed: error applying desir
config-con  IAMServiceAccount/hierarchy-sa            Successful    Failed                  Ready                                     3s      Update call failed: error applying desir
config-con  IAMServiceAccount/logging-sa              Successful    Failed                  Ready                                     2s      Update call failed: error applying desir
config-con  IAMServiceAccount/networking-sa           Successful    Failed                  Ready                                     2s      Update call failed: error applying desir
config-con  IAMServiceAccount/policies-sa             Successful    Failed                  Ready                                     2s      Update call failed: error applying desir
config-con  IAMServiceAccount/projects-sa             Successful    Failed                  Ready                                     2s      Update call failed: error applying desir
config-con  Service/management-project-arg11-accessc  Successful    Unknown                 <None>                                    2s      status.ObservedGeneration not found     
config-con  Service/management-project-arg11-cloudbi  Successful    Unknown                 <None>                                    1s      status.ObservedGeneration not found     
config-con  Service/management-project-arg11-cloudre  Successful    Unknown                 <None>                                    1s      status.ObservedGeneration not found     
config-con  Service/management-project-arg11-service  Successful    Unknown                 <None>                                    1s      status.ObservedGeneration not found     
gatekeeper  ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    9s      status.healthy is true                  
hierarchy   ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-folders-resource-refer  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Pending       Unknown                 -                                         -                                               
hierarchy   Folder/audits                             Pending       Unknown                 -                                         -                                               
hierarchy   Folder/clients                            Pending       Unknown                 -                                         -                                               
hierarchy   Folder/services                           Pending       Unknown                 -                                         -                                               
hierarchy   Folder/services-infrastructure            Pending       Unknown                 -                                         -                                               
logging     ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
logging     LoggingLogBucket/platform-and-component-  Pending       Unknown                 -                                         -                                               
logging     LoggingLogBucket/security-log-bucket-arg  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/logging-project-arg11-sec  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/mgmt-project-cluster-disa  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/mgmt-project-cluster-plat  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/platform-and-component-se  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/platform-and-component-se  Pending       Unknown                 -                                         -                                               
logging     RoleBinding/allow-logging-resource-refer  Pending       Unknown                 -                                         -                                               
networking  ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
policies    ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-gu  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-ne  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-se  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-vp  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-require-os  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-require-sh  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-require-sh  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-restrict-l  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-restrict-s  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-restrict-v  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-skip-defau  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-trusted-im  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-vm-can-ip-  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-vm-externa  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/essentialcontacts-  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/gcp-restrict-resou  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/iam-allowed-policy  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/iam-disable-servic  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/sql-restrict-publi  Pending       Unknown                 -                                         -                                               
NAMESPACE   RESOURCE                                  ACTION        STATUS      RECONCILED  CONDITIONS                                AGE     MESSAGE                                 
            Namespace/hierarchy                       Successful    Current                 <None>                                    11s     Resource is current                     
            Namespace/logging                         Successful    Current                 <None>                                    11s     Resource is current                     
            Namespace/networking                      Successful    Current                 <None>                                    11s     Resource is current                     
            Namespace/policies                        Successful    Current                 <None>                                    11s     Resource is current                     
            Namespace/projects                        Successful    Current                 <None>                                    10s     Resource is current                     
config-con  IAMCustomRole/gke-firewall-admin          Successful    InProgress              Ready                                     10s     Update in progress                      
config-con  IAMCustomRole/tier2-dnsrecord-admin       Successful    Current                 Ready                                     9s      Resource is Current                     
config-con  IAMCustomRole/tier2-vpcpeering-admin      Successful    InProgress              Ready                                     9s      Update in progress                      
config-con  IAMCustomRole/tier3-dnsrecord-admin       Successful    InProgress              Ready                                     9s      Update in progress                      
config-con  IAMCustomRole/tier3-firewallrule-admin    Successful    InProgress              Ready                                     8s      Update in progress                      
config-con  IAMCustomRole/tier3-vpcsc-admin           Successful    InProgress              Ready                                     8s      Update in progress                      
config-con  IAMPartialPolicy/gatekeeper-admin-sa-wor  Successful    InProgress              Ready                                     8s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/hierarchy-sa-workload-i  Successful    InProgress              Ready                                     8s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/logging-sa-workload-ide  Successful    InProgress              Ready                                     8s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/networking-sa-workload-  Successful    InProgress              Ready                                     8s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/policies-sa-workload-id  Successful    InProgress              Ready                                     7s      reference IAMServiceAccount config-contr
config-con  IAMPartialPolicy/projects-sa-workload-id  Successful    InProgress              Ready                                     7s      reference IAMServiceAccount config-contr
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Failed                  Ready                                     7s      Update call failed: error fetching live 
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Failed                  Ready                                     7s      Update call failed: error fetching live 
config-con  IAMPolicyMember/config-control-sa-orgrol  Successful    Unknown                 <None>                                    7s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/gatekeeper-admin-sa-metr  Successful    Failed                  Ready                                     7s      Update call failed: error fetching live 
config-con  IAMPolicyMember/hierarchy-sa-folderadmin  Successful    Failed                  Ready                                     6s      Update call failed: error fetching live 
config-con  IAMPolicyMember/logging-sa-bigqueryadmin  Successful    Failed                  Ready                                     6s      Update call failed: error fetching live 
config-con  IAMPolicyMember/logging-sa-logadmin-perm  Successful    Unknown                 <None>                                    6s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/networking-sa-dns-permis  Successful    Failed                  Ready                                     6s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-networkadm  Successful    Failed                  Ready                                     6s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-security-p  Successful    Failed                  Ready                                     6s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-service-co  Successful    Unknown                 <None>                                    5s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/networking-sa-servicedir  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/networking-sa-xpnadmin-p  Successful    Unknown                 <None>                                    5s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/policies-sa-orgpolicyadm  Successful    Unknown                 <None>                                    5s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/projects-sa-billinguser-  Successful    Unknown                 <None>                                    5s      status.ObservedGeneration not found     
config-con  IAMPolicyMember/projects-sa-projectcreat  Successful    Failed                  Ready                                     5s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-projectdelet  Successful    Failed                  Ready                                     4s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-projectiamad  Successful    Failed                  Ready                                     4s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-projectmover  Successful    Failed                  Ready                                     4s      Update call failed: error fetching live 
config-con  IAMPolicyMember/projects-sa-serviceusage  Successful    Failed                  Ready                                     4s      Update call failed: error fetching live 
config-con  IAMServiceAccount/gatekeeper-admin-sa     Successful    Failed                  Ready                                     4s      Update call failed: error applying desir
config-con  IAMServiceAccount/hierarchy-sa            Successful    Failed                  Ready                                     4s      Update call failed: error applying desir
config-con  IAMServiceAccount/logging-sa              Successful    Failed                  Ready                                     3s      Update call failed: error applying desir
config-con  IAMServiceAccount/networking-sa           Successful    Failed                  Ready                                     3s      Update call failed: error applying desir
config-con  IAMServiceAccount/policies-sa             Successful    Failed                  Ready                                     3s      Update call failed: error applying desir
config-con  IAMServiceAccount/projects-sa             Successful    Failed                  Ready                                     3s      Update call failed: error applying desir
config-con  Service/management-project-arg11-accessc  Successful    Unknown                 <None>                                    3s      status.ObservedGeneration not found     
config-con  Service/management-project-arg11-cloudbi  Successful    Unknown                 <None>                                    2s      status.ObservedGeneration not found     
config-con  Service/management-project-arg11-cloudre  Successful    Unknown                 <None>                                    2s      status.ObservedGeneration not found     
config-con  Service/management-project-arg11-service  Successful    Unknown                 <None>                                    2s      status.ObservedGeneration not found     
gatekeeper  ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    10s     status.healthy is true                  
hierarchy   ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-folders-resource-refer  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Pending       Unknown                 -                                         -                                               
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Pending       Unknown                 -                                         -                                               
hierarchy   Folder/audits                             Pending       Unknown                 -                                         -                                               
hierarchy   Folder/clients                            Pending       Unknown                 -                                         -                                               
hierarchy   Folder/services                           Pending       Unknown                 -                                         -                                               
hierarchy   Folder/services-infrastructure            Pending       Unknown                 -                                         -                                               
logging     ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
logging     LoggingLogBucket/platform-and-component-  Pending       Unknown                 -                                         -                                               
logging     LoggingLogBucket/security-log-bucket-arg  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/logging-project-arg11-sec  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/mgmt-project-cluster-disa  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/mgmt-project-cluster-plat  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/platform-and-component-se  Pending       Unknown                 -                                         -                                               
logging     LoggingLogSink/platform-and-component-se  Pending       Unknown                 -                                         -                                               
logging     RoleBinding/allow-logging-resource-refer  Pending       Unknown                 -                                         -                                               
networking  ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
policies    ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-gu  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-ne  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-se  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-disable-vp  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-require-os  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-require-sh  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-require-sh  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-restrict-l  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-restrict-s  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-restrict-v  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-skip-defau  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-trusted-im  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-vm-can-ip-  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/compute-vm-externa  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/essentialcontacts-  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/gcp-restrict-resou  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/iam-allowed-policy  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/iam-disable-servic  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/sql-restrict-publi  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/storage-public-acc  Pending       Unknown                 -                                         -                                               
policies    ResourceManagerPolicy/storage-uniform-bu  Pending       Unknown                 -                                         -                                               
projects    ConfigConnectorContext/configconnectorco  Pending       Unknown                 -                                         -                                               
projects    IAMAuditConfig/logging-project-data-acce  Pending       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/mgmt-project-cluster-pl  Pending       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/platform-and-component-  Pending       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/platform-and-component-  Pending       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/security-log-bucket-wri  Pending       Unknown                 -                                         -                                               
projects    RoleBinding/allow-projects-resource-refe  Pending       Unknown                 -                                 

wrong folder id - used project boot
let it run its course and update later
  lz-folder-id: '872374816049' 
  #'pdt-arg-kcc11'

rerun
policies    ResourceManagerPolicy/storage-uniform-bu  Successful    Failed                  Ready                                     10m     Update call failed: error fetching live 
projects    ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    10m     status.healthy is true                  
projects    IAMAuditConfig/logging-project-data-acce  Skipped       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/mgmt-project-cluster-pl  Skipped       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/platform-and-component-  Skipped       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/platform-and-component-  Skipped       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/security-log-bucket-wri  Skipped       Unknown                 -                                         -                                               
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    10m     Resource is current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    10m     Resource is current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    10m     Resource is current                     
projects    Project/logging-project-arg11             Successful    InProgress              Ready                                     10m     reference Folder hierarchy/audits is not

admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ 

folder not rendered properly in folder.yaml

    external: 'pdt-arg-kcc11' # kpt-set: ${lz-folder-id}

[obriensystems]

Move to kcc.landing.systems follow https://cloud.google.com/anthos-config-management/docs/concepts/config-controller-overview from https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit#readme then

export CLUSTER=kcc-kls
export REGION=northamerica-northeast1
export PROJECT_ID=kcc-kls-cluster
export LZ_FOLDER_NAME=kcc-lz-20230802
export NETWORK=kcc-kls-vpc1
export SUBNET=kcc-kls-sn1
export ORG_ID=1564838...
export ROOT_FOLDER_ID=444332200332
export BILLING_ID=01A4...
#export GIT_USERNAME=<Git-Username> # For Azure Devops, this is the name of the Organization
#export CONFIG_SYNC_REPO=<Repo for Config Sync> # tierX repo URL
#export CONFIG_SYNC_VERSION='HEAD'
#export CONFIG_SYNC_DIR=<Directory for config sync repo which syncs> # Should default to csync/deploy/<env>

2213

root_@cloudshell:~/kcc-kls/20230719/gcp-tools/scripts/bootstrap (kcc-kls)$ ./setup-kcc.sh -f pdt-kls.env 

##INFO - Update the logging for region

kmsServiceAccountId: cmek-o156483884993@gcp-sa-logging.iam.gserviceaccount.com
loggingServiceAccountId: service-org-156483884993@gcp-sa-logging.iam.gserviceaccount.com
name: organizations/156483884993/settings
storageLocation: northamerica-northeast1

##INFO - create folder and project

Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/kcc-kls-cluster].
Waiting for [operations/cp.7418676574276417307] to finish...done.                                                                                                                                                                           
Enabling service [cloudapis.googleapis.com] on project [kcc-kls-cluster]...
Operation "operations/acat.p2-630577449085-fcb8f6cb-0970-4a84-872c-dde3178ce3e5" finished successfully.
Updated property [core/project] to [kcc-kls-cluster].

##INFO - Link billing account

billingAccountName: billingAccounts/01A4...
billingEnabled: true
name: projects/kcc-kls-cluster/billingInfo
projectId: kcc-kls-cluster

##INFO - sleep 30s to allow for project creation before enabling services

Updated property [core/project].

##INFO - Enable services

Operation "operations/acf.p2-630577449085-fec6ad16-2963-406f-aefb-aec4c2883383" finished successfully.

##INFO - VPC

Created [https://www.googleapis.com/compute/v1/projects/kcc-kls-cluster/global/networks/kcc-kls-vpc1].
NAME: kcc-kls-vpc1
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE: 
GATEWAY_IPV4: 

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network kcc-kls-vpc1 --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network kcc-kls-vpc1 --allow tcp:22,tcp:3389,icmp

##INFO - Subnet

Created [https://www.googleapis.com/compute/v1/projects/kcc-kls-cluster/regions/northamerica-northeast1/subnetworks/kcc-kls-sn1].
NAME: kcc-kls-sn1
REGION: northamerica-northeast1
NETWORK: kcc-kls-vpc1
RANGE: 192.168.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE: 
INTERNAL_IPV6_PREFIX: 
EXTERNAL_IPV6_PREFIX: 

##INFO - Cloud router and Cloud NAT

Creating router [kcc-router]...done.                                                                                                                                                                                                        
NAME: kcc-router
REGION: northamerica-northeast1
NETWORK: kcc-kls-vpc1
Creating NAT [kcc-router] in router [kcc-router]...working       
##INFO - enable logging for dns

Created Policy [https://dns.googleapis.com/dns/v1/projects/kcc-kls-cluster/policies/dnspolicy1].
{
  "description": "dns policy to enable logging",
  "enableInboundForwarding": false,
  "enableLogging": true,
  "id": "3071101327108607715",
  "kind": "dns#policy",
  "name": "dnspolicy1",
  "networks": [
    {
      "kind": "dns#policyNetwork",
      "networkUrl": "https://compute.googleapis.com/compute/v1/projects/kcc-kls-cluster/global/networks/kcc-kls-vpc1"
    }
  ]
}

##INFO - private ip for apis

Created [https://www.googleapis.com/compute/v1/projects/kcc-kls-cluster/global/addresses/apis-private-ip].

##INFO - sleep 15s to allow for address to create

##INFO - private endpoint

Created [https://www.googleapis.com/compute/v1/projects/kcc-kls-cluster/global/forwardingRules/endpoint1].

##INFO - private dns zone for googleapis.com

Created [https://dns.googleapis.com/dns/v1/projects/kcc-kls-cluster/managedZones/googleapis].
NAME: googleapis.com.
TYPE: A
TTL: 300
DATA: 10.255.255.254
NAME: *.googleapis.com.
TYPE: CNAME
TTL: 300
DATA: googleapis.com.

##INFO - private dns zone for gcr.io

Created [https://dns.googleapis.com/dns/v1/projects/kcc-kls-cluster/managedZones/gcrio].
NAME: gcr.io.
TYPE: A
TTL: 300
DATA: 10.255.255.254
NAME: *.gcr.io.
TYPE: CNAME
TTL: 300
DATA: gcr.io.

##INFO - Allow egress to AZDO (optional)

Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/kcc-kls-cluster/global/firewalls/allow-egress-azure].                                                                                                  
Creating firewall...done.                                                                                                                                                                                                                   
NAME: allow-egress-azure
NETWORK: kcc-kls-vpc1
DIRECTION: EGRESS
PRIORITY: 5000
ALLOW: tcp:22,tcp:443
DENY: 
DISABLED: False

##INFO - Allow egress to Github (optional)

Creating firewall...working.
Creating firewall...done.                                                                                                                                                                                                                   
NAME: allow-egress-github
NETWORK: kcc-kls-vpc1
DIRECTION: EGRESS
PRIORITY: 5001
ALLOW: tcp:22,tcp:443
DENY: 
DISABLED: False

##INFO - Allow egress to internal, peered vpc and secondary ranges

Creating firewall...working.     
Creating firewall...done.                                                                                                                                                                                                                   
NAME: allow-egress-internal
NETWORK: kcc-kls-vpc1
DIRECTION: EGRESS
PRIORITY: 1000
ALLOW: all
DENY: 
DISABLED: False

##INFO - Deny egress to internet

Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/kcc-kls-cluster/global/firewalls/deny-egress-internet].                                                                                                
Creating firewall...done.                                                                                                                                                                                                                   
NAME: deny-egress-internet
NETWORK: kcc-kls-vpc1
DIRECTION: EGRESS
PRIORITY: 65535
ALLOW: 
DENY: all
DISABLED: False

##INFO - Create Config controller

Create request issued for: [kcc-kls]
Waiting for operation [projects/kcc-kls-cluster/locations/northamerica-northeast1/operations/operation-1691029053375-601fb6208033c-918c34b7-3db667f0] to complete...working..        

2218                                                                                                                                                                                                                                                                       

2246
Waiting for operation [projects/kcc-kls-cluster/locations/northamerica-northeast1/operations/operation-1691029053375-601fb6208033c-918c34b7-3db667f0] to complete...failed.                                                                 
ERROR: (gcloud.anthos.config.controller.create) Operation https://krmapihosting.googleapis.com/v1/projects/kcc-kls-cluster/locations/northamerica-northeast1/operations/operation-1691029053375-601fb6208033c-918c34b7-3db667f0 has not finished in 1800 seconds. The operations may still be underway remotely and may still succeed; use gcloud list and describe commands or https://console.developers.google.com/ to check resource state.

raise https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/438

After 50 min the nodepool is up but the cluster nodes are not running yet

workaround is to delete it (to preserve quota) and rerun it manually - or wait 55 min for the cluster to auto delete

2308
./setup-kcc.sh -af pdt-kls.env 

##INFO - Cloud router and Cloud NAT

Creating router [kcc-router]...working.                                        
Creating router [kcc-router]...done.                                           
ERROR: gcloud crashed (TypeError): string indices must be integers

If you would like to report this issue, please run the following command:
  gcloud feedback

To check gcloud for common problems, please run the following command:
  gcloud info --run-diagnostics

renaming not just the project
export CLUSTER=kcc-kls3
export REGION=northamerica-northeast1
export PROJECT_ID=kcc-kls-cluster3
export LZ_FOLDER_NAME=kcc-lz-20230802b
export NETWORK=kcc-kls-vpc3
export SUBNET=kcc-kls-sn3

disable billing -  delete project

rename router
gcloud compute routers create kcc-router3 --project="$PROJECT_ID"  --network="$NETWORK"  --asn=64513 --region="$REGION"
gcloud compute routers nats create kcc-router3 --router=kcc-router3 --region="$REGION" --auto-allocate-nat-external-ips --nat-all-subnet-ip-ranges --enable-logging

switch project back to seed

root_@cloudshell:~/kcc-kls/20230719/gcp-tools/scripts/bootstrap (kcc-kls-cluster2)$ gcloud config set project kcc-kls
Updated property [core/project].
root_@cloudshell:~/kcc-kls/20230719/gcp-tools/scripts/bootstrap (kcc-kls)$ 

root_@cloudshell:~/kcc-kls/20230719/gcp-tools/scripts/bootstrap (kcc-kls)$ ./setup-kcc.sh -af pdt-kls.env 

2323

nat ok now that we are in a different project

##INFO - Cloud router and Cloud NAT

Creating router [kcc-router3]...done.                                                                                                                                                                                                     
NAME: kcc-router3
REGION: northamerica-northeast1
NETWORK: kcc-kls-vpc3
Creating NAT [kcc-router3] in router [kcc-router3]...working   

2327
Create request issued for: [kcc-kls3]
Waiting for operation [projects/kcc-kls-cluster3/locations/northamerica-northeast1/operations/operation-1691033255751-601fc5c832e5b-a5517bbf-34becf43] to complete...working.. 

Create request issued for: [kcc-kls3]
Waiting for operation [projects/kcc-kls-cluster3/locations/northamerica-northeast1/operations/operation-1691033255751-601fc5c832e5b-a5517bbf-34becf43] to complete...working.. 

2332

2334 83%

autopilot is better

2338 workloads still coming up

2341

2342

2343

2344 - 3 left

1 left

2345 (13 min)

secret/git-creds created

##INFO - Apply root sync

rootsync.configsync.gke.io/root-sync created

##WARNING - The root-sync.yaml file should be checked into the <tier1-REPO>

root_@cloudshell:~/kcc-kls/20230719/gcp-tools/scripts/bootstrap (kcc-kls-cluster3)$ 

https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-dns?_ga=2.151718137.-1143133292.1680630953

[obriensystems]

installing lz https://cloud.google.com/anthos-config-management/docs/how-to/config-controller-setup#configure-config-connector and https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md#2-create-your-landing-zone

root_@cloudshell:~/kcc-kls/20230719/gcp-tools/scripts/bootstrap (kcc-kls-cluster3)$ kubectl wait pod --all --all-namespaces --for=condition=Ready
pod/cnrm-controller-manager-sgfj3cxgisp6jdsfy7qq-0 condition met
pod/cnrm-deletiondefender-0 condition met
pod/cnrm-resource-stats-recorder-7dbbc9d566-96mff condition met
pod/cnrm-unmanaged-detector-0 condition met
pod/cnrm-webhook-manager-68785b46b7-k79g8 condition met
pod/cnrm-webhook-manager-68785b46b7-kffz5 condition met
pod/otel-collector-c6c69c484-f5s6f condition met
pod/config-management-operator-f755bdf8b-rxz2x condition met
pod/reconciler-manager-85c5844b47-cwfwj condition met
pod/configconnector-operator-0 condition met
pod/gatekeeper-audit-78c4b9589b-f9bxn condition met
pod/gatekeeper-controller-manager-7bc6dd8f46-qhhvm condition met
pod/alertmanager-0 condition met
pod/collector-bb4st condition met
pod/collector-h4j24 condition met
pod/collector-szhxn condition met
pod/gmp-operator-7478b74984-j8g9b condition met
pod/rule-evaluator-767c5ccc99-7mbnt condition met
pod/krmapihosting-metrics-agent-55glj condition met
pod/krmapihosting-metrics-agent-9nlw9 condition met
pod/krmapihosting-metrics-agent-d8xm9 condition met
pod/bootstrap-79d76cd77b-rd5n8 condition met
pod/anetd-cg6g9 condition met
pod/anetd-f2gpt condition met
pod/anetd-r7gr2 condition met
pod/antrea-controller-horizontal-autoscaler-7b69d9bfd7-rqq8r condition met
pod/egress-nat-controller-98648bc69-fm8nk condition met
pod/event-exporter-gke-7bf6c99dcb-c5dd9 condition met
pod/filestore-node-4p9cx condition met
pod/filestore-node-5jlfv condition met
pod/filestore-node-74pm4 condition met
pod/fluentbit-gke-big-6hsk5 condition met
pod/fluentbit-gke-big-sxkh2 condition met
pod/fluentbit-gke-big-vm26j condition met
pod/gcsfusecsi-node-7k76l condition met
pod/gcsfusecsi-node-j8r4b condition met
pod/gcsfusecsi-node-sq62q condition met
pod/gke-metadata-server-mb6sx condition met
pod/gke-metadata-server-mczq5 condition met
pod/gke-metadata-server-p6xhp condition met
pod/gke-metrics-agent-9hvwg condition met
pod/gke-metrics-agent-j4xvr condition met
pod/gke-metrics-agent-spdl8 condition met
pod/ip-masq-agent-cphwd condition met
pod/ip-masq-agent-n7nbw condition met
pod/ip-masq-agent-r8pvq condition met
pod/konnectivity-agent-5b687c8dcb-dkrth condition met
pod/konnectivity-agent-5b687c8dcb-vgmkm condition met
pod/konnectivity-agent-5b687c8dcb-vj4cn condition met
pod/konnectivity-agent-autoscaler-5d9dbcc6d8-2s5dp condition met
pod/kube-dns-865c4fb86d-k5b2c condition met
pod/kube-dns-865c4fb86d-skmk6 condition met
pod/kube-dns-autoscaler-84b8db4dc7-h47j6 condition met
pod/l7-default-backend-799dc5bb9-w6s57 condition met
pod/metrics-server-v0.5.2-6bf74b5d5f-fknxl condition met
pod/netd-dtqvj condition met
pod/netd-l5wgc condition met
pod/netd-nhgl9 condition met
pod/node-local-dns-5wzzk condition met
pod/node-local-dns-bxqzh condition met
pod/node-local-dns-fkfln condition met
pod/pdcsi-node-ddxsp condition met
pod/pdcsi-node-mphv5 condition met
pod/pdcsi-node-vngs4 condition met
pod/resource-group-controller-manager-86dc76874f-gbz9l condition met

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tags?after=solutions%2Fexperimentation%2Fclient-landing-zone%2F0.1.0

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/experimentation/core-landing-zone@0.1.0
Package "core-landing-zone":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@0.1.0
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
 * tag               solutions/experimentation/core-landing-zone/0.1.0 -> FETCH_HEAD
Adding package "solutions/experimentation/core-landing-zone".

Fetched 1 package(s).

[obriensystems]

ongoing #296 day0 instructions

296 - day0 install readme must include 2 core-landing-zone pkg instructions link

make the instructions clearer on the 2 step quickstart - to avoid client confusion

• install the kcc cluster
• install a default landing-zone-v2 - composed of the dual pkg - core-landing-zone and experimentation/core-landing-zone

verified all link changes https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/443

follow in #445 https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/409 specifically the kpt instructions in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/solutions/core-landing-zone/0.3.0/docs/landing-zone-v2#kpt

[fmichaelobrien]

the following https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/441 was affected by https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/447

TODO: check all incoming links into files moved into the legacy folder for redirection see one change in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/475