Day 0: non-managed client KCC onboarding (CC GKE cluster + (core-landing-zone + experimentation/core-landing-zone)) - dual bootstrap scripts

[fmichaelobrien]

New standalone clients that wish to run a one-off unmanaged KCC LZ require a two step automated procedure with example values.yaml around the CC GKE cluster + (core-landing-zone + experimentation/core-landing-zone)) - dual bootstrap scripts

This procedure to be merged to the main readme is in addition to

296

418

534

[obriensystems]

Procedure: see kpt https://cloud.google.com/architecture/managing-cloud-infrastructure-using-kpt start https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/README.md#quickstart run setup-kcc.sh in https://github.com/ssc-spc-ccoe-cei/gcp-tools/blob/main/scripts/bootstrap/setup-kcc.sh -

pdt-kls.env
export CLUSTER=kcc-kls3
export REGION=northamerica-northeast1
export PROJECT_ID=kcc-kls-cluster3
export LZ_FOLDER_NAME=kcc-lz-20230802b
export NETWORK=kcc-kls-vpc3
export SUBNET=kcc-kls-sn3
export ORG_ID=1564...993
export ROOT_FOLDER_ID=444332200332 #kcc folder
export BILLING_ID=01A4...9F

./setup-kcc.sh -af pdt-kls.env

run step 2 of the core-landing-zone-v2 readme - edit setters.yaml raise #450

  org-id: "156...93"
  lz-folder-id: '4443..32'
  billing-id: "0152...33"
  management-project-id: kc..ter3
  management-project-number: "53..547"
  management-namespace: config-control
  allowed-contact-domains: |
    - "@kc..tems"
  # run 'gcloud organizations list' as described in https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#retrieving_customer_id
  allowed-policy-domain-members: |
    - "C0..m1"

  logging-project-id: log...ct-kls

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/experimentation/core-landing-zone@0.1.0
Package "core-landing-zone":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@0.1.0
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
 * tag               solutions/experimentation/core-landing-zone/0.1.0 -> FETCH_HEAD
Adding package "solutions/experimentation/core-landing-zone".

Fetched 1 package(s).

other lz
admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ kpt live apply core-landing-zone --reconcile-timeout=2m --output=table
..
projects    IAMPartialPolicy/platform-and-component-  Skipped       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/security-log-bucket-wri  Skipped       Unknown                 -                                         -                                               
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    1128h   Resource is current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    1128h   Resource is current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    1128h   Resource is current                     
projects    Project/logging-project-arg11             Successful    InProgress              Ready                                     1128h   reference Folder hierarchy/audits is not

follow in #445 https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/409 specifically the kpt instructions in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/solutions/core-landing-zone/0.3.0/docs/landing-zone-v2#kpt

install

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/releases/tag/solutions%2Fcore-landing-zone%2F0.3.1

20230814: revisit kls

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ export PROJECT_ID=kcc-kls-cluster3
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ ls
core-landing-zone  setters.yaml
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ rm -rf core-landing-zone/
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/core-landing-zone@main
Package "core-landing-zone":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@main
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
 * branch            main       -> FETCH_HEAD
 + 52f93a3...ea2e57f main       -> origin/main  (forced update)
Adding package "solutions/core-landing-zone".

Fetched 1 package(s).
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ cp setters.yaml core-landing-zone/

re-add kpt documentation at the end of section 2 see #409

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/docs/landing-zone-v2#2-create-your-landing-zone needs https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/solutions/core-landing-zone/0.3.0/docs/landing-zone-v2#kpt

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$   kpt live init core-landing-zone --namespace config-control
initializing "resourcegroup.yaml" data (namespace: config-control)...success

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kpt fn render core-landing-zone
Package "core-landing-zone": 
[RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2"
[FAIL] "gcr.io/kpt-fn/apply-setters:v0.2" in 2.1s
  Results:
    [error]: failed to apply setters: values for setters [${platform-and-component-log-bucket}] must be provided
  Stderr:
    "values for setters [${platform-and-component-log-bucket}] must be providedvalues for setters [${platform-and-component-log-bucket}] must be provided"
  Exit code: 1

  fix: did not have the latest version of setters.yaml - updated

  mirroring changes to my local repo from the core-landing-zone kpt folder download

root_@cloudshell:~/kcc-kls/lz-20230803-gh/pubsec-declarative-toolkit (kcc-kls-cluster3)$ git diff
diff --git a/solutions/core-landing-zone/setters.yaml b/solutions/core-landing-zone/setters.yaml
index f3168d3..ca53ae4 100644
--- a/solutions/core-landing-zone/setters.yaml
+++ b/solutions/core-landing-zone/setters.yaml
@@ -14,10 +14,11 @@
 #########
 apiVersion: v1
 kind: ConfigMap
-metadata:
+metadata: # kpt-merge: /setters
   name: setters
   annotations:
     config.kubernetes.io/local-config: "true"
+    internal.kpt.dev/upstream-identifier: '|ConfigMap|default|setters'
 data:
   ##########################
   # Instructions
@@ -38,9 +39,9 @@ data:
   # General Settings Values
   ##########################
   #
-  org-id: "0000000000"
-  lz-folder-id: '0000000000'
-  billing-id: "AAAAAA-BBBBBB-CCCCCC"
+  org-id: "15....993"
+  lz-folder-id: '444....332'
+  billing-id: "01....833"
   #
   ##########################
   # Management Project
@@ -48,8 +49,8 @@ data:
   #
   # This is the project where the config controller instance is running
   # Values can be viewed in the Project Dashboard
-  management-project-id: management-project-12345
-  management-project-number: "0000000000"
+  management-project-id: kcc-kls-cluster3
+  management-project-number: "53....547"
   management-namespace: config-control
   #
   ##########################
@@ -68,14 +69,14 @@ data:
   # org/org-policies/essentialcontacts-allowed-contact-domains.yaml
   # this setting MUST be changed
   allowed-contact-domains: |
-    - "@example.com"
+    - "@kcc.landing.systems"
   #
   # a list of directory customer IDs from which users can be added to IAM policies, see YAML file for more info:
   # org/org-policies/iam-allowed-policy-member-domains.yaml
   # this setting MUST be changed to include the GCP org's directory ID and any other directory containing users that will need IAM roles assigned
   # run 'gcloud organizations list' as described in https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#retrieving_customer_id
   allowed-policy-domain-members: |
-    - "DIRECTORY_CUSTOMER_ID"
+    - "C0....m1"
   #
   # a list of allowed projects, folders, networks for VPC peering, see YAML file for more info:
   # org/org-policies/compute-restrict-vpc-peering.yaml
@@ -87,13 +88,13 @@ data:
   # Logging
   ##########################
   #
-  logging-project-id: logging-project-12345
+  logging-project-id: logging-project-kls
   #
   # Log Buckets
   # Security Logs Bucket
-  security-log-bucket: security-log-bucket-12345
+  security-log-bucket: security-log-bucket-kls
   # Platform and Component Log Bucket
-  platform-and-component-log-bucket: platform-and-component-log-bucket-12345
+  platform-and-component-log-bucket: platform-and-component-log-bucket-kls
   #
   # Retention settings
   # Set the number of days to retain logs in Cloud Logging buckets
@@ -110,8 +111,9 @@ data:
   # DNS
   ##########################
   #
-  dns-project-id: dns-project-12345
-  dns-name: "example.com."
+  dns-project-id: dns-project-kls
+  # the appended . is required by google cloud domain zones
+  dns-name: "kcc.landing.systems."

kpt rendering ok

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kpt fn render core-landing-zone
Package "core-landing-zone": 
[RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2"
[PASS] "gcr.io/kpt-fn/apply-setters:v0.2" in 600ms
  Results:
    [info] spec.folderRef.external: set field value to "444332200332"
    [info] metadata.name: set field value to "security-log-bucket-kls"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-kls"
    [info] spec.projectRef.name: set field value to "logging-project-kls"
    ...(213 line(s) truncated, use '--truncate-output=false' to disable)

Successfully executed 1 function(s) in 1 package(s).

kpt live apply (20230414:1552)

kpt live apply core-landing-zone --reconcile-timeout=2m --output=table

coming up

NAMESPACE   RESOURCE                                  ACTION        STATUS      RECONCILED  CONDITIONS                                AGE     MESSAGE                                 
            Namespace/hierarchy                       Successful    Current                 <None>                                    2m      Resource is current                     
            Namespace/logging                         Successful    Current                 <None>                                    2m      Resource is current                     
            Namespace/networking                      Successful    Current                 <None>                                    2m      Resource is current                     
            Namespace/policies                        Successful    Current                 <None>                                    2m      Resource is current                     
            Namespace/projects                        Successful    Current                 <None>                                    2m      Resource is current                     
config-con  IAMCustomRole/gke-firewall-admin          Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMCustomRole/tier2-dnsrecord-admin       Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMCustomRole/tier2-vpcpeering-admin      Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMCustomRole/tier3-dnsrecord-admin       Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMCustomRole/tier3-firewallrule-admin    Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMCustomRole/tier3-vpcsc-admin           Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPartialPolicy/gatekeeper-admin-sa-wor  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPartialPolicy/hierarchy-sa-workload-i  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPartialPolicy/logging-sa-workload-ide  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPartialPolicy/networking-sa-workload-  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPartialPolicy/policies-sa-workload-id  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPartialPolicy/projects-sa-workload-id  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/config-control-sa-orgrol  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/gatekeeper-admin-sa-metr  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/hierarchy-sa-folderadmin  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/logging-sa-bigqueryadmin  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/logging-sa-logadmin-perm  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/networking-sa-dns-permis  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/networking-sa-networkadm  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/networking-sa-security-p  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/networking-sa-service-co  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/networking-sa-servicedir  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/networking-sa-xpnadmin-p  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/policies-sa-orgpolicyadm  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/projects-sa-billinguser-  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/projects-sa-projectcreat  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/projects-sa-projectdelet  Successful    Failed                  Ready                                     2m      Update call failed: error setting policy
config-con  IAMPolicyMember/projects-sa-projectiamad  Successful    Failed                  Ready                                     2m      Update call failed: error setting policy
config-con  IAMPolicyMember/projects-sa-projectmover  Successful    Failed                  Ready                                     2m      Update call failed: error setting policy
config-con  IAMPolicyMember/projects-sa-serviceusage  Successful    Failed                  Ready                                     2m      Update call failed: error setting policy
config-con  IAMServiceAccount/gatekeeper-admin-sa     Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMServiceAccount/hierarchy-sa            Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMServiceAccount/logging-sa              Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMServiceAccount/networking-sa           Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMServiceAccount/policies-sa             Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMServiceAccount/projects-sa             Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  Service/kcc-kls-cluster3-accesscontextma  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  Service/kcc-kls-cluster3-cloudbilling     Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  Service/kcc-kls-cluster3-cloudresourcema  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  Service/kcc-kls-cluster3-serviceusage     Successful    Current                 Ready                                     2m      Resource is Current                     
gatekeeper  ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    2m      status.healthy is true                  
hierarchy   ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    35s     status.healthy is true                  
hierarchy   RoleBinding/allow-folders-resource-refer  Successful    Current                 <None>                                    37s     Resource is current                     
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Successful    Current                 <None>                                    37s     Resource is current                     
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Successful    Current                 <None>                                    37s     Resource is current                     
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Successful    Current                 <None>                                    36s     Resource is current                     
hierarchy   Folder/audits                             Successful    Current                 Ready                                     34s     Resource is Current                     
hierarchy   Folder/clients                            Successful    Current                 Ready                                     33s     Resource is Current                     
hierarchy   Folder/services                           Successful    Current                 Ready                                     33s     Resource is Current                     
hierarchy   Folder/services-infrastructure            Successful    Current                 Ready                                     33s     Resource is Current                     
logging     ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    35s     status.healthy is true                  
logging     LoggingLogBucket/platform-and-component-  Skipped       Unknown                 -                                         -                                               
logging     LoggingLogBucket/security-log-bucket-kls  Skipped       Unknown                 -                                         -                                               
logging     LoggingLogSink/logging-project-kls-secur  Skipped       Unknown                 -                                         -                                               
logging     LoggingLogSink/mgmt-project-cluster-disa  Skipped       Unknown                 -                                         -                                               
logging     LoggingLogSink/mgmt-project-cluster-plat  Skipped       Unknown                 -                                         -                                               
logging     LoggingLogSink/platform-and-component-se  Skipped       Unknown                 -                                         -                                               
logging     LoggingLogSink/platform-and-component-se  Skipped       Unknown                 -                                         -                                               
logging     RoleBinding/allow-logging-resource-refer  Successful    Current                 <None>                                    36s     Resource is current                     
networking  ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    35s     status.healthy is true                  
networking  DNSManagedZone/dns-project-kls-standard-  Skipped       Unknown                 -                                         -                                               
policies    ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    35s     status.healthy is true                  
policies    ResourceManagerPolicy/compute-disable-gu  Successful    Current                 Ready                                     32s     Resource is Current                     
policies    ResourceManagerPolicy/compute-disable-ne  Successful    Current                 Ready                                     32s     Resource is Current                     
policies    ResourceManagerPolicy/compute-disable-se  Successful    Current                 Ready                                     32s     Resource is Current                     
policies    ResourceManagerPolicy/compute-disable-vp  Successful    Current                 Ready                                     32s     Resource is Current                     
policies    ResourceManagerPolicy/compute-require-os  Successful    Current                 Ready                                     32s     Resource is Current                     
policies    ResourceManagerPolicy/compute-require-sh  Successful    Current                 Ready                                     31s     Resource is Current                     
policies    ResourceManagerPolicy/compute-require-sh  Successful    Current                 Ready                                     31s     Resource is Current                     
policies    ResourceManagerPolicy/compute-restrict-l  Successful    Current                 Ready                                     31s     Resource is Current                     
policies    ResourceManagerPolicy/compute-restrict-s  Successful    Current                 Ready                                     31s     Resource is Current                     
policies    ResourceManagerPolicy/compute-restrict-v  Successful    Failed                  Ready                                     30s     Update call failed: error applying desir
policies    ResourceManagerPolicy/compute-skip-defau  Successful    Current                 Ready                                     30s     Resource is Current                     
policies    ResourceManagerPolicy/compute-trusted-im  Successful    Current                 Ready                                     30s     Resource is Current                     
policies    ResourceManagerPolicy/compute-vm-can-ip-  Successful    Current                 Ready                                     30s     Resource is Current                     
policies    ResourceManagerPolicy/compute-vm-externa  Successful    Current                 Ready                                     30s     Resource is Current                     
policies    ResourceManagerPolicy/essentialcontacts-  Successful    Current                 Ready                                     29s     Resource is Current                     
policies    ResourceManagerPolicy/gcp-restrict-resou  Successful    Current                 Ready                                     29s     Resource is Current                     
policies    ResourceManagerPolicy/iam-allowed-policy  Successful    Current                 Ready                                     29s     Resource is Current                     
policies    ResourceManagerPolicy/iam-disable-servic  Successful    Current                 Ready                                     29s     Resource is Current                     
policies    ResourceManagerPolicy/sql-restrict-publi  Successful    Current                 Ready                                     29s     Resource is Current                     
policies    ResourceManagerPolicy/storage-public-acc  Successful    Current                 Ready                                     28s     Resource is Current                     
policies    ResourceManagerPolicy/storage-uniform-bu  Successful    Current                 Ready                                     28s     Resource is Current                     
projects    ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    35s     status.healthy is true                  
projects    IAMAuditConfig/logging-project-data-acce  Skipped       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/mgmt-project-cluster-pl  Skipped       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/platform-and-component-  Skipped       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/platform-and-component-  Skipped       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/security-log-bucket-wri  Skipped       Unknown                 -                                         -                                               
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    36s     Resource is current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    36s     Resource is current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    36s     Resource is current                     
projects    Project/dns-project-kls                   Successful    Failed                  Ready                                     2s      Update call failed: error fetching live 
projects    Project/logging-project-kls               Successful    Failed                  Ready                                     33s     Update call failed: error fetching live 
projects    Service/dns-project-kls-dns               Skipped       Unknown                 -                                         -                                               

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get pods --all-namespaces
NAMESPACE                         NAME                                                       READY   STATUS    RESTARTS       AGE
cnrm-system                       cnrm-controller-manager-3fo6phebqgg23knqq5qq-0             2/2     Running   0              4m2s
cnrm-system                       cnrm-controller-manager-7c4rehlik7xgxc2utq6a-0             2/2     Running   0              4m2s
cnrm-system                       cnrm-controller-manager-fiqj4dqbgpwy6mlvh25q-0             2/2     Running   0              4m
cnrm-system                       cnrm-controller-manager-ghhiigeeussitzq7mfza-0             2/2     Running   0              4m
cnrm-system                       cnrm-controller-manager-gnunqke5gjhr55wngr7q-0             2/2     Running   0              4m1s
cnrm-system                       cnrm-controller-manager-sgfj3cxgisp6jdsfy7qq-0             2/2     Running   0              5d3h
cnrm-system                       cnrm-controller-manager-swyfekd4gcdftjnvc2qa-0             2/2     Running   0              5m29s
cnrm-system                       cnrm-deletiondefender-0                                    1/1     Running   0              5d3h
cnrm-system                       cnrm-resource-stats-recorder-88bfdfd56-kqdq2               2/2     Running   0              5d3h
cnrm-system                       cnrm-unmanaged-detector-0                                  1/1     Running   0              5d3h
cnrm-system                       cnrm-webhook-manager-54c8477885-cr54f                      1/1     Running   0              5d3h
cnrm-system                       cnrm-webhook-manager-54c8477885-plgkd                      1/1     Running   0              4m36s
cnrm-system                       cnrm-webhook-manager-54c8477885-ssldj                      1/1     Running   0              5d3h
config-management-monitoring      otel-collector-865b4f4968-l89bt                            1/1     Running   0              5d3h
config-management-system          config-management-operator-5db59f7f8f-5fb4p                1/1     Running   0              5d3h
config-management-system          reconciler-manager-5cddc57f5-bxc86                         2/2     Running   0              5d3h
configconnector-operator-system   configconnector-operator-0                                 1/1     Running   0              5d3h
gatekeeper-system                 gatekeeper-audit-6d686f5467-zlwzr                          1/1     Running   0              5d3h
gatekeeper-system                 gatekeeper-controller-manager-6b47854cf5-nsmzs             1/1     Running   0              5d3h
gke-gmp-system                    alertmanager-0                                             2/2     Running   2 (11d ago)    11d
gke-gmp-system                    collector-bb4st                                            2/2     Running   2 (11d ago)    11d
gke-gmp-system                    collector-h4j24                                            2/2     Running   1 (11d ago)    11d
gke-gmp-system                    collector-szhxn                                            2/2     Running   2 (11d ago)    11d
gke-gmp-system                    gmp-operator-7645bc584f-5d8gf                              1/1     Running   0              30h
gke-gmp-system                    rule-evaluator-767c5ccc99-7mbnt                            2/2     Running   2 (11d ago)    11d
krmapihosting-monitoring          krmapihosting-metrics-agent-55glj                          1/1     Running   0              11d
krmapihosting-monitoring          krmapihosting-metrics-agent-9nlw9                          1/1     Running   0              11d
krmapihosting-monitoring          krmapihosting-metrics-agent-d8xm9                          1/1     Running   0              11d
krmapihosting-system              bootstrap-5d5578f758-sh76w                                 1/1     Running   0              5d3h
kube-system                       anetd-cg6g9                                                1/1     Running   0              11d
kube-system                       anetd-f2gpt                                                1/1     Running   0              11d
kube-system                       anetd-r7gr2                                                1/1     Running   0              11d
kube-system                       antrea-controller-horizontal-autoscaler-7b69d9bfd7-rqq8r   1/1     Running   0              11d
kube-system                       egress-nat-controller-98648bc69-fm8nk                      1/1     Running   0              11d
kube-system                       event-exporter-gke-7bf6c99dcb-c5dd9                        2/2     Running   0              11d
kube-system                       filestore-node-4p9cx                                       3/3     Running   0              11d
kube-system                       filestore-node-5jlfv                                       3/3     Running   0              11d
kube-system                       filestore-node-74pm4                                       3/3     Running   1 (7d6h ago)   11d
kube-system                       fluentbit-gke-big-6hsk5                                    2/2     Running   0              11d
kube-system                       fluentbit-gke-big-sxkh2                                    2/2     Running   0              11d
kube-system                       fluentbit-gke-big-vm26j                                    2/2     Running   0              11d
kube-system                       gcsfusecsi-node-7k76l                                      2/2     Running   0              11d
kube-system                       gcsfusecsi-node-j8r4b                                      2/2     Running   0              11d
kube-system                       gcsfusecsi-node-sq62q                                      2/2     Running   0              11d
kube-system                       gke-metadata-server-btb9x                                  1/1     Running   0              30h
kube-system                       gke-metadata-server-l447p                                  1/1     Running   0              30h
kube-system                       gke-metadata-server-w7brs                                  1/1     Running   0              30h
kube-system                       gke-metrics-agent-9hvwg                                    2/2     Running   0              11d
kube-system                       gke-metrics-agent-j4xvr                                    2/2     Running   0              11d
kube-system                       gke-metrics-agent-spdl8                                    2/2     Running   0              11d
kube-system                       ip-masq-agent-cphwd                                        1/1     Running   0              11d
kube-system                       ip-masq-agent-n7nbw                                        1/1     Running   0              11d
kube-system                       ip-masq-agent-r8pvq                                        1/1     Running   0              11d
kube-system                       konnectivity-agent-5b687c8dcb-d64h7                        1/1     Running   0              5d3h
kube-system                       konnectivity-agent-5b687c8dcb-dkrth                        1/1     Running   0              11d
kube-system                       konnectivity-agent-5b687c8dcb-vgmkm                        1/1     Running   0              11d
kube-system                       konnectivity-agent-autoscaler-5d9dbcc6d8-2s5dp             1/1     Running   0              11d
kube-system                       kube-dns-865c4fb86d-k5b2c                                  4/4     Running   0              11d
kube-system                       kube-dns-865c4fb86d-skmk6                                  4/4     Running   0              11d
kube-system                       kube-dns-autoscaler-84b8db4dc7-h47j6                       1/1     Running   0              11d
kube-system                       l7-default-backend-58c4fb8884-7n45b                        1/1     Running   0              2d6h
kube-system                       metrics-server-v0.5.2-6bf74b5d5f-fknxl                     2/2     Running   0              11d
kube-system                       netd-dtqvj                                                 1/1     Running   0              11d
kube-system                       netd-l5wgc                                                 1/1     Running   0              11d
kube-system                       netd-nhgl9                                                 1/1     Running   0              11d
kube-system                       node-local-dns-5wzzk                                       1/1     Running   0              11d
kube-system                       node-local-dns-bxqzh                                       1/1     Running   0              11d
kube-system                       node-local-dns-fkfln                                       1/1     Running   0              11d
kube-system                       pdcsi-node-h8jzw                                           2/2     Running   0              9d
kube-system                       pdcsi-node-hl6m6                                           2/2     Running   0              9d
kube-system                       pdcsi-node-sxfns                                           2/2     Running   0              9d
resource-group-system             resource-group-controller-manager-5594cd7b8-l87bc          2/2     Running   0              5d3h

just 1 org policy has an issue missed a setters.yaml var under:organizations/ORGANIZATION_ID]

  allowed-vpc-peering: |
    - "under:organizations/15..."

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kpt live status core-landing-zone
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/audits is Current: Resource is Current
inventory-85852139/project.resourcemanager.cnrm.cloud.google.com/projects/logging-project-kls is Current: Resource is Current
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/clients is Current: Resource is Current
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/services is Current: Resource is Current
inventory-85852139/project.resourcemanager.cnrm.cloud.google.com/projects/dns-project-kls is Current: Resource is Current
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/services-infrastructure is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-require-shielded-vm-except-mgt-project is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-cloudbilling is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-cloudresourcemanager is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-serviceusage is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-accesscontextmanager is Current: Resource is Current
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/gatekeeper-admin-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/gatekeeper-admin-sa-metric-writer-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/gatekeeper-admin-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/gatekeeper-system/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/hierarchy-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/hierarchy-sa-folderadmin-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/hierarchy-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//hierarchy is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/hierarchy/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-hierarchy-resource-reference-from-projects is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-hierarchy-resource-reference-from-policies is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-hierarchy-resource-reference-from-config-control is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-folders-resource-reference-to-logging is Current: Resource is current
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/logging-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/logging-sa-logadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/logging-sa-bigqueryadmin-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/logging-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//logging is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/logging/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/rolebinding.rbac.authorization.k8s.io/logging/allow-logging-resource-reference-from-projects is Current: Resource is current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/config-control-sa-orgroleadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/config-control-sa-management-project-editor-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/config-control-sa-management-project-serviceaccountadmin-permissions is Current: Resource is Current
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/networking-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-networkadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-security-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-dns-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-service-control-org-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-xpnadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-servicedirectoryeditor-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/networking-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//networking is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/networking/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/policies-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/policies-sa-orgpolicyadmin-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/policies-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//policies is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/policies/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/projects-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectiamadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectcreator-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectmover-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectdeleter-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-serviceusageadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-billinguser-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/projects-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//projects is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/projects/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/rolebinding.rbac.authorization.k8s.io/projects/allow-projects-resource-reference-from-logging is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/projects/allow-projects-resource-reference-from-networking is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/projects/allow-projects-resource-reference-from-policies is Current: Resource is current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/gke-firewall-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier2-dnsrecord-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier2-vpcpeering-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier3-dnsrecord-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier3-firewallrule-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier3-vpcsc-admin is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-guest-attribute-access is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-nested-virtualization is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-serial-port-access is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-vpc-external-ipv6 is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-require-os-login is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-require-shielded-vm is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-restrict-load-balancer-creation-for-types is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-restrict-shared-vpc-lien-removal is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-restrict-vpc-peering is Failed: Update call failed: error applying desired state: summary: googleapi: Error 400: One or more values is invalid.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.BadRequest",
    "fieldViolations": [
      {
        "description": "Invalid value: [under:organizations/ORGANIZATION_ID]",
        "field": "policy.list_policy.allowed_values[0]"
      }
    ]
  }
]
, badRequest
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-skip-default-network-creation is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-trusted-image-projects is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-vm-can-ip-forward is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-vm-external-ip-access is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/essentialcontacts-allowed-contact-domains is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/gcp-restrict-resource-locations is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/iam-allowed-policy-member-domains is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/iam-disable-service-account-key-creation is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/sql-restrict-public-ip is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/storage-public-access-prevention is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/storage-uniform-bucket-level-access is Current: Resource is Current

fixing

NAMESPACE   RESOURCE                                  ACTION        STATUS      RECONCILED  CONDITIONS                                AGE     MESSAGE                                 
            Namespace/hierarchy                       Successful    Current                 <None>                                    61m     Resource is current                     
            Namespace/logging                         Successful    Current                 <None>                                    61m     Resource is current                     
            Namespace/networking                      Successful    Current                 <None>                                    61m     Resource is current                     
            Namespace/policies                        Successful    Current                 <None>                                    61m     Resource is current                     
            Namespace/projects                        Successful    Current                 <None>                                    61m     Resource is current                     
config-con  IAMCustomRole/gke-firewall-admin          Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMCustomRole/tier2-dnsrecord-admin       Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMCustomRole/tier2-vpcpeering-admin      Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMCustomRole/tier3-dnsrecord-admin       Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMCustomRole/tier3-firewallrule-admin    Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMCustomRole/tier3-vpcsc-admin           Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPartialPolicy/gatekeeper-admin-sa-wor  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPartialPolicy/hierarchy-sa-workload-i  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPartialPolicy/logging-sa-workload-ide  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPartialPolicy/networking-sa-workload-  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPartialPolicy/policies-sa-workload-id  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPartialPolicy/projects-sa-workload-id  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/config-control-sa-orgrol  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/gatekeeper-admin-sa-metr  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/hierarchy-sa-folderadmin  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/logging-sa-bigqueryadmin  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/logging-sa-logadmin-perm  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/networking-sa-dns-permis  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/networking-sa-networkadm  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/networking-sa-security-p  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/networking-sa-service-co  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/networking-sa-servicedir  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/networking-sa-xpnadmin-p  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/policies-sa-orgpolicyadm  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/projects-sa-billinguser-  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/projects-sa-projectcreat  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/projects-sa-projectdelet  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/projects-sa-projectiamad  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/projects-sa-projectmover  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/projects-sa-serviceusage  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMServiceAccount/gatekeeper-admin-sa     Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMServiceAccount/hierarchy-sa            Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMServiceAccount/logging-sa              Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMServiceAccount/networking-sa           Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMServiceAccount/policies-sa             Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMServiceAccount/projects-sa             Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  Service/kcc-kls-cluster3-accesscontextma  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  Service/kcc-kls-cluster3-cloudbilling     Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  Service/kcc-kls-cluster3-cloudresourcema  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  Service/kcc-kls-cluster3-serviceusage     Successful    Current                 Ready                                     61m     Resource is Current                     
gatekeeper  ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    61m     status.healthy is true                  
hierarchy   ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    60m     status.healthy is true                  
hierarchy   RoleBinding/allow-folders-resource-refer  Successful    Current                 <None>                                    60m     Resource is current                     
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Successful    Current                 <None>                                    60m     Resource is current                     
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Successful    Current                 <None>                                    60m     Resource is current                     
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Successful    Current                 <None>                                    60m     Resource is current                     
hierarchy   Folder/audits                             Successful    Current                 Ready                                     60m     Resource is Current                     
hierarchy   Folder/clients                            Successful    Current                 Ready                                     60m     Resource is Current                     
hierarchy   Folder/services                           Successful    Current                 Ready                                     60m     Resource is Current                     
hierarchy   Folder/services-infrastructure            Successful    Current                 Ready                                     60m     Resource is Current                     
logging     ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    60m     status.healthy is true                  
logging     LoggingLogBucket/platform-and-component-  Successful    Current                 Ready                                     3m      Resource is Current                     
logging     LoggingLogBucket/security-log-bucket-kls  Successful    Current                 Ready                                     3m      Resource is Current                     
logging     LoggingLogSink/logging-project-kls-secur  Successful    Current                 Ready                                     32s     Resource is Current                     
logging     LoggingLogSink/mgmt-project-cluster-disa  Successful    Current                 Ready                                     3m      Resource is Current                     
logging     LoggingLogSink/mgmt-project-cluster-plat  Successful    Current                 Ready                                     31s     Resource is Current                     
logging     LoggingLogSink/platform-and-component-se  Successful    Current                 Ready                                     31s     Resource is Current                     
logging     LoggingLogSink/platform-and-component-se  Successful    Current                 Ready                                     31s     Resource is Current                     
logging     RoleBinding/allow-logging-resource-refer  Successful    Current                 <None>                                    60m     Resource is current                     
networking  ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    60m     status.healthy is true                  
networking  DNSManagedZone/dns-project-kls-standard-  Successful    InProgress              Ready                                     32s     Update in progress                      
policies    ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    60m     status.healthy is true                  
policies    ResourceManagerPolicy/compute-disable-gu  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-disable-ne  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-disable-se  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-disable-vp  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-require-os  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-require-sh  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-require-sh  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-restrict-l  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-restrict-s  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-restrict-v  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-skip-defau  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-trusted-im  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-vm-can-ip-  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-vm-externa  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/essentialcontacts-  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/gcp-restrict-resou  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/iam-allowed-policy  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/iam-disable-servic  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/sql-restrict-publi  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/storage-public-acc  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/storage-uniform-bu  Successful    Current                 Ready                                     60m     Resource is Current                     
projects    ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    60m     status.healthy is true                  
projects    IAMAuditConfig/logging-project-data-acce  Successful    Current                 Ready                                     3m      Resource is Current                     
projects    IAMPartialPolicy/mgmt-project-cluster-pl  Successful    Current                 Ready                                     3m      Resource is Current                     
projects    IAMPartialPolicy/platform-and-component-  Successful    Current                 Ready                                     3m      Resource is Current                     
projects    IAMPartialPolicy/platform-and-component-  Successful    Current                 Ready                                     3m      Resource is Current                     
projects    IAMPartialPolicy/security-log-bucket-wri  Successful    Current                 Ready                                     3m      Resource is Current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    60m     Resource is current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    60m     Resource is current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    60m     Resource is current                     
projects    Project/dns-project-kls                   Successful    Current                 Ready                                     59m     Resource is Current                     
projects    Project/logging-project-kls               Successful    Current                 Ready                                     60m     Resource is Current                     
projects    Service/dns-project-kls-dns               Successful    Current                 Ready                                     30s     Resource is Current                     

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kpt live status core-landing-zone
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/audits is Current: Resource is Current
inventory-85852139/logginglogbucket.logging.cnrm.cloud.google.com/logging/security-log-bucket-kls is Current: Resource is Current
inventory-85852139/logginglogbucket.logging.cnrm.cloud.google.com/logging/platform-and-component-log-bucket-kls is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/projects/security-log-bucket-writer-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/projects/platform-and-component-services-log-bucket-writer-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/projects/platform-and-component-services-infra-log-bucket-writer-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/projects/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions is Current: Resource is Current
inventory-85852139/iamauditconfig.iam.cnrm.cloud.google.com/projects/logging-project-data-access-log-config is Current: Resource is Current
inventory-85852139/project.resourcemanager.cnrm.cloud.google.com/projects/logging-project-kls is Current: Resource is Current
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/clients is Current: Resource is Current
inventory-85852139/logginglogsink.logging.cnrm.cloud.google.com/logging/platform-and-component-services-log-sink is Current: Resource is Current
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/services is Current: Resource is Current
inventory-85852139/dnsmanagedzone.dns.cnrm.cloud.google.com/networking/dns-project-kls-standard-core-public-dns is Current: Resource is Current
inventory-85852139/project.resourcemanager.cnrm.cloud.google.com/projects/dns-project-kls is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/projects/dns-project-kls-dns is Current: Resource is Current
inventory-85852139/logginglogsink.logging.cnrm.cloud.google.com/logging/platform-and-component-services-infra-log-sink is Current: Resource is Current
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/services-infrastructure is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-require-shielded-vm-except-mgt-project is Current: Resource is Current
inventory-85852139/logginglogsink.logging.cnrm.cloud.google.com/logging/mgmt-project-cluster-platform-and-component-log-sink is Current: Resource is Current
inventory-85852139/logginglogsink.logging.cnrm.cloud.google.com/logging/mgmt-project-cluster-disable-default-bucket is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-cloudbilling is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-cloudresourcemanager is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-serviceusage is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-accesscontextmanager is Current: Resource is Current
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/gatekeeper-admin-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/gatekeeper-admin-sa-metric-writer-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/gatekeeper-admin-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/gatekeeper-system/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/hierarchy-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/hierarchy-sa-folderadmin-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/hierarchy-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//hierarchy is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/hierarchy/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-hierarchy-resource-reference-from-projects is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-hierarchy-resource-reference-from-policies is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-hierarchy-resource-reference-from-config-control is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-folders-resource-reference-to-logging is Current: Resource is current
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/logging-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/logging-sa-logadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/logging-sa-bigqueryadmin-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/logging-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//logging is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/logging/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/rolebinding.rbac.authorization.k8s.io/logging/allow-logging-resource-reference-from-projects is Current: Resource is current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/config-control-sa-orgroleadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/config-control-sa-management-project-editor-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/config-control-sa-management-project-serviceaccountadmin-permissions is Current: Resource is Current
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/networking-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-networkadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-security-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-dns-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-service-control-org-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-xpnadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-servicedirectoryeditor-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/networking-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//networking is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/networking/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/policies-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/policies-sa-orgpolicyadmin-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/policies-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//policies is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/policies/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/projects-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectiamadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectcreator-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectmover-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectdeleter-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-serviceusageadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-billinguser-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/projects-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//projects is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/projects/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/rolebinding.rbac.authorization.k8s.io/projects/allow-projects-resource-reference-from-logging is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/projects/allow-projects-resource-reference-from-networking is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/projects/allow-projects-resource-reference-from-policies is Current: Resource is current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/gke-firewall-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier2-dnsrecord-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier2-vpcpeering-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier3-dnsrecord-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier3-firewallrule-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier3-vpcsc-admin is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-guest-attribute-access is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-nested-virtualization is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-serial-port-access is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-vpc-external-ipv6 is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-require-os-login is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-require-shielded-vm is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-restrict-load-balancer-creation-for-types is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-restrict-shared-vpc-lien-removal is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-restrict-vpc-peering is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-skip-default-network-creation is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-trusted-image-projects is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-vm-can-ip-forward is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-vm-external-ip-access is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/essentialcontacts-allowed-contact-domains is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/gcp-restrict-resource-locations is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/iam-allowed-policy-member-domains is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/iam-disable-service-account-key-creation is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/sql-restrict-public-ip is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/storage-public-access-prevention is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/storage-uniform-bucket-level-access is Current: Resource is Current
inventory-85852139/logginglogsink.logging.cnrm.cloud.google.com/logging/logging-project-kls-security-sink is Current: Resource is Current
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ 

[fmichaelobrien]

2nd deployment on arg

admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/gatekeeper-policies@main
Package "gatekeeper-policies":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@main
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
 * branch            main       -> FETCH_HEAD
 + 4ec915c...8f765e2 main       -> origin/main  (forced update)
Adding package "solutions/gatekeeper-policies".

admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/core-landing-zone@main
Package "core-landing-zone":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@main
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
 * branch            main       -> FETCH_HEAD
Adding package "solutions/core-landing-zone".

Fetched 1 package(s).
admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ ls
core-landing-zone  core-landing-zone_old  gatekeeper-policies  gatekeeper-policies-old  packages  pubsec-declarative-toolkit  setters.yaml

handle duplicate with experimentation - get into subdirectory to fix
admin_@cloudshell:~/pdt-arg/main (pdt-arg-kcc11)$ kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/experimentation/core-landing-zone@main
Error: destination directory "core-landing-zone" already exists 

[obriensystems]

Current status (deploying hub) - move to https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/446#issuecomment-1684391117 kcc.landing.zone root@cloudshell:~/kcc-kls/lz-20230803$ ls client-landing-zone client-setup core-landing-zone hub-env setters.yaml root@cloudshell:~/kcc-kls/lz-20230803$