search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
31 stars 28 forks source link

Add back optional KPT deployment option documentation - removed after release core-landing-zone/0.3.0 #457

Open obriensystems opened 1 year ago

obriensystems commented 1 year ago

I know oci and gitops are the core - and I agree having the code in github/ado/gitlab/csr is preferred - but some clients have requested the easier kpt option and it should be there as a base deployment option - since mid 2022

To be fair the base case deployment option is actually pure kubernetes krm yaml like in https://cloud.google.com/config-connector/docs/how-to/getting-started

see original gitops docs in https://cloud.google.com/anthos-config-management/docs/concepts/config-controller-overview and https://cloud.google.com/anthos-config-management/docs/how-to/unstructured-repo see original kpt docs in https://cloud.google.com/architecture/managing-cloud-infrastructure-using-kpt

20230814: revisit kls

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ export PROJECT_ID=kcc-kls-cluster3
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ ls
core-landing-zone  setters.yaml
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ rm -rf core-landing-zone/
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/core-landing-zone@main
Package "core-landing-zone":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@main
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
 * branch            main       -> FETCH_HEAD
 + 52f93a3...ea2e57f main       -> origin/main  (forced update)
Adding package "solutions/core-landing-zone".

Fetched 1 package(s).
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ cp setters.yaml core-landing-zone/

re-add kpt documentation at the end of section 2 see #409

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/docs/landing-zone-v2#2-create-your-landing-zone needs https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/solutions/core-landing-zone/0.3.0/docs/landing-zone-v2#kpt

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$   kpt live init core-landing-zone --namespace config-control
initializing "resourcegroup.yaml" data (namespace: config-control)...success

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kpt fn render core-landing-zone
Package "core-landing-zone": 
[RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2"
[FAIL] "gcr.io/kpt-fn/apply-setters:v0.2" in 2.1s
  Results:
    [error]: failed to apply setters: values for setters [${platform-and-component-log-bucket}] must be provided
  Stderr:
    "values for setters [${platform-and-component-log-bucket}] must be providedvalues for setters [${platform-and-component-log-bucket}] must be provided"
  Exit code: 1

  fix: did not have the latest version of setters.yaml - updated

  mirroring changes to my local repo from the core-landing-zone kpt folder download

root_@cloudshell:~/kcc-kls/lz-20230803-gh/pubsec-declarative-toolkit (kcc-kls-cluster3)$ git diff
diff --git a/solutions/core-landing-zone/setters.yaml b/solutions/core-landing-zone/setters.yaml
index f3168d3..ca53ae4 100644
--- a/solutions/core-landing-zone/setters.yaml
+++ b/solutions/core-landing-zone/setters.yaml
@@ -14,10 +14,11 @@
 #########
 apiVersion: v1
 kind: ConfigMap
-metadata:
+metadata: # kpt-merge: /setters
   name: setters
   annotations:
     config.kubernetes.io/local-config: "true"
+    internal.kpt.dev/upstream-identifier: '|ConfigMap|default|setters'
 data:
   ##########################
   # Instructions
@@ -38,9 +39,9 @@ data:
   # General Settings Values
   ##########################
   #
-  org-id: "0000000000"
-  lz-folder-id: '0000000000'
-  billing-id: "AAAAAA-BBBBBB-CCCCCC"
+  org-id: "15....993"
+  lz-folder-id: '444....332'
+  billing-id: "01....833"
   #
   ##########################
   # Management Project
@@ -48,8 +49,8 @@ data:
   #
   # This is the project where the config controller instance is running
   # Values can be viewed in the Project Dashboard
-  management-project-id: management-project-12345
-  management-project-number: "0000000000"
+  management-project-id: kcc-kls-cluster3
+  management-project-number: "53....547"
   management-namespace: config-control
   #
   ##########################
@@ -68,14 +69,14 @@ data:
   # org/org-policies/essentialcontacts-allowed-contact-domains.yaml
   # this setting MUST be changed
   allowed-contact-domains: |
-    - "@example.com"
+    - "@kcc.landing.systems"
   #
   # a list of directory customer IDs from which users can be added to IAM policies, see YAML file for more info:
   # org/org-policies/iam-allowed-policy-member-domains.yaml
   # this setting MUST be changed to include the GCP org's directory ID and any other directory containing users that will need IAM roles assigned
   # run 'gcloud organizations list' as described in https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#retrieving_customer_id
   allowed-policy-domain-members: |
-    - "DIRECTORY_CUSTOMER_ID"
+    - "C0....m1"
   #
   # a list of allowed projects, folders, networks for VPC peering, see YAML file for more info:
   # org/org-policies/compute-restrict-vpc-peering.yaml
@@ -87,13 +88,13 @@ data:
   # Logging
   ##########################
   #
-  logging-project-id: logging-project-12345
+  logging-project-id: logging-project-kls
   #
   # Log Buckets
   # Security Logs Bucket
-  security-log-bucket: security-log-bucket-12345
+  security-log-bucket: security-log-bucket-kls
   # Platform and Component Log Bucket
-  platform-and-component-log-bucket: platform-and-component-log-bucket-12345
+  platform-and-component-log-bucket: platform-and-component-log-bucket-kls
   #
   # Retention settings
   # Set the number of days to retain logs in Cloud Logging buckets
@@ -110,8 +111,9 @@ data:
   # DNS
   ##########################
   #
-  dns-project-id: dns-project-12345
-  dns-name: "example.com."
+  dns-project-id: dns-project-kls
+  # the appended . is required by google cloud domain zones
+  dns-name: "kcc.landing.systems."

kpt rendering ok

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kpt fn render core-landing-zone
Package "core-landing-zone": 
[RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2"
[PASS] "gcr.io/kpt-fn/apply-setters:v0.2" in 600ms
  Results:
    [info] spec.folderRef.external: set field value to "444332200332"
    [info] metadata.name: set field value to "security-log-bucket-kls"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-kls"
    [info] spec.projectRef.name: set field value to "logging-project-kls"
    ...(213 line(s) truncated, use '--truncate-output=false' to disable)

Successfully executed 1 function(s) in 1 package(s).

kpt live apply (20230414:1552)

kpt live apply core-landing-zone --reconcile-timeout=2m --output=table
Screenshot 2023-08-14 at 15 53 58

coming up

Screenshot 2023-08-14 at 15 56 21 
NAMESPACE   RESOURCE                                  ACTION        STATUS      RECONCILED  CONDITIONS                                AGE     MESSAGE                                 
            Namespace/hierarchy                       Successful    Current                 <None>                                    2m      Resource is current                     
            Namespace/logging                         Successful    Current                 <None>                                    2m      Resource is current                     
            Namespace/networking                      Successful    Current                 <None>                                    2m      Resource is current                     
            Namespace/policies                        Successful    Current                 <None>                                    2m      Resource is current                     
            Namespace/projects                        Successful    Current                 <None>                                    2m      Resource is current                     
config-con  IAMCustomRole/gke-firewall-admin          Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMCustomRole/tier2-dnsrecord-admin       Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMCustomRole/tier2-vpcpeering-admin      Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMCustomRole/tier3-dnsrecord-admin       Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMCustomRole/tier3-firewallrule-admin    Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMCustomRole/tier3-vpcsc-admin           Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPartialPolicy/gatekeeper-admin-sa-wor  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPartialPolicy/hierarchy-sa-workload-i  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPartialPolicy/logging-sa-workload-ide  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPartialPolicy/networking-sa-workload-  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPartialPolicy/policies-sa-workload-id  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPartialPolicy/projects-sa-workload-id  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/config-control-sa-orgrol  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/gatekeeper-admin-sa-metr  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/hierarchy-sa-folderadmin  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/logging-sa-bigqueryadmin  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/logging-sa-logadmin-perm  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/networking-sa-dns-permis  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/networking-sa-networkadm  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/networking-sa-security-p  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/networking-sa-service-co  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/networking-sa-servicedir  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/networking-sa-xpnadmin-p  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/policies-sa-orgpolicyadm  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/projects-sa-billinguser-  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/projects-sa-projectcreat  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMPolicyMember/projects-sa-projectdelet  Successful    Failed                  Ready                                     2m      Update call failed: error setting policy
config-con  IAMPolicyMember/projects-sa-projectiamad  Successful    Failed                  Ready                                     2m      Update call failed: error setting policy
config-con  IAMPolicyMember/projects-sa-projectmover  Successful    Failed                  Ready                                     2m      Update call failed: error setting policy
config-con  IAMPolicyMember/projects-sa-serviceusage  Successful    Failed                  Ready                                     2m      Update call failed: error setting policy
config-con  IAMServiceAccount/gatekeeper-admin-sa     Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMServiceAccount/hierarchy-sa            Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMServiceAccount/logging-sa              Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMServiceAccount/networking-sa           Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMServiceAccount/policies-sa             Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  IAMServiceAccount/projects-sa             Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  Service/kcc-kls-cluster3-accesscontextma  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  Service/kcc-kls-cluster3-cloudbilling     Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  Service/kcc-kls-cluster3-cloudresourcema  Successful    Current                 Ready                                     2m      Resource is Current                     
config-con  Service/kcc-kls-cluster3-serviceusage     Successful    Current                 Ready                                     2m      Resource is Current                     
gatekeeper  ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    2m      status.healthy is true                  
hierarchy   ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    35s     status.healthy is true                  
hierarchy   RoleBinding/allow-folders-resource-refer  Successful    Current                 <None>                                    37s     Resource is current                     
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Successful    Current                 <None>                                    37s     Resource is current                     
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Successful    Current                 <None>                                    37s     Resource is current                     
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Successful    Current                 <None>                                    36s     Resource is current                     
hierarchy   Folder/audits                             Successful    Current                 Ready                                     34s     Resource is Current                     
hierarchy   Folder/clients                            Successful    Current                 Ready                                     33s     Resource is Current                     
hierarchy   Folder/services                           Successful    Current                 Ready                                     33s     Resource is Current                     
hierarchy   Folder/services-infrastructure            Successful    Current                 Ready                                     33s     Resource is Current                     
logging     ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    35s     status.healthy is true                  
logging     LoggingLogBucket/platform-and-component-  Skipped       Unknown                 -                                         -                                               
logging     LoggingLogBucket/security-log-bucket-kls  Skipped       Unknown                 -                                         -                                               
logging     LoggingLogSink/logging-project-kls-secur  Skipped       Unknown                 -                                         -                                               
logging     LoggingLogSink/mgmt-project-cluster-disa  Skipped       Unknown                 -                                         -                                               
logging     LoggingLogSink/mgmt-project-cluster-plat  Skipped       Unknown                 -                                         -                                               
logging     LoggingLogSink/platform-and-component-se  Skipped       Unknown                 -                                         -                                               
logging     LoggingLogSink/platform-and-component-se  Skipped       Unknown                 -                                         -                                               
logging     RoleBinding/allow-logging-resource-refer  Successful    Current                 <None>                                    36s     Resource is current                     
networking  ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    35s     status.healthy is true                  
networking  DNSManagedZone/dns-project-kls-standard-  Skipped       Unknown                 -                                         -                                               
policies    ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    35s     status.healthy is true                  
policies    ResourceManagerPolicy/compute-disable-gu  Successful    Current                 Ready                                     32s     Resource is Current                     
policies    ResourceManagerPolicy/compute-disable-ne  Successful    Current                 Ready                                     32s     Resource is Current                     
policies    ResourceManagerPolicy/compute-disable-se  Successful    Current                 Ready                                     32s     Resource is Current                     
policies    ResourceManagerPolicy/compute-disable-vp  Successful    Current                 Ready                                     32s     Resource is Current                     
policies    ResourceManagerPolicy/compute-require-os  Successful    Current                 Ready                                     32s     Resource is Current                     
policies    ResourceManagerPolicy/compute-require-sh  Successful    Current                 Ready                                     31s     Resource is Current                     
policies    ResourceManagerPolicy/compute-require-sh  Successful    Current                 Ready                                     31s     Resource is Current                     
policies    ResourceManagerPolicy/compute-restrict-l  Successful    Current                 Ready                                     31s     Resource is Current                     
policies    ResourceManagerPolicy/compute-restrict-s  Successful    Current                 Ready                                     31s     Resource is Current                     
policies    ResourceManagerPolicy/compute-restrict-v  Successful    Failed                  Ready                                     30s     Update call failed: error applying desir
policies    ResourceManagerPolicy/compute-skip-defau  Successful    Current                 Ready                                     30s     Resource is Current                     
policies    ResourceManagerPolicy/compute-trusted-im  Successful    Current                 Ready                                     30s     Resource is Current                     
policies    ResourceManagerPolicy/compute-vm-can-ip-  Successful    Current                 Ready                                     30s     Resource is Current                     
policies    ResourceManagerPolicy/compute-vm-externa  Successful    Current                 Ready                                     30s     Resource is Current                     
policies    ResourceManagerPolicy/essentialcontacts-  Successful    Current                 Ready                                     29s     Resource is Current                     
policies    ResourceManagerPolicy/gcp-restrict-resou  Successful    Current                 Ready                                     29s     Resource is Current                     
policies    ResourceManagerPolicy/iam-allowed-policy  Successful    Current                 Ready                                     29s     Resource is Current                     
policies    ResourceManagerPolicy/iam-disable-servic  Successful    Current                 Ready                                     29s     Resource is Current                     
policies    ResourceManagerPolicy/sql-restrict-publi  Successful    Current                 Ready                                     29s     Resource is Current                     
policies    ResourceManagerPolicy/storage-public-acc  Successful    Current                 Ready                                     28s     Resource is Current                     
policies    ResourceManagerPolicy/storage-uniform-bu  Successful    Current                 Ready                                     28s     Resource is Current                     
projects    ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    35s     status.healthy is true                  
projects    IAMAuditConfig/logging-project-data-acce  Skipped       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/mgmt-project-cluster-pl  Skipped       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/platform-and-component-  Skipped       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/platform-and-component-  Skipped       Unknown                 -                                         -                                               
projects    IAMPartialPolicy/security-log-bucket-wri  Skipped       Unknown                 -                                         -                                               
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    36s     Resource is current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    36s     Resource is current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    36s     Resource is current                     
projects    Project/dns-project-kls                   Successful    Failed                  Ready                                     2s      Update call failed: error fetching live 
projects    Project/logging-project-kls               Successful    Failed                  Ready                                     33s     Update call failed: error fetching live 
projects    Service/dns-project-kls-dns               Skipped       Unknown                 -                                         -                                               

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get pods --all-namespaces
NAMESPACE                         NAME                                                       READY   STATUS    RESTARTS       AGE
cnrm-system                       cnrm-controller-manager-3fo6phebqgg23knqq5qq-0             2/2     Running   0              4m2s
cnrm-system                       cnrm-controller-manager-7c4rehlik7xgxc2utq6a-0             2/2     Running   0              4m2s
cnrm-system                       cnrm-controller-manager-fiqj4dqbgpwy6mlvh25q-0             2/2     Running   0              4m
cnrm-system                       cnrm-controller-manager-ghhiigeeussitzq7mfza-0             2/2     Running   0              4m
cnrm-system                       cnrm-controller-manager-gnunqke5gjhr55wngr7q-0             2/2     Running   0              4m1s
cnrm-system                       cnrm-controller-manager-sgfj3cxgisp6jdsfy7qq-0             2/2     Running   0              5d3h
cnrm-system                       cnrm-controller-manager-swyfekd4gcdftjnvc2qa-0             2/2     Running   0              5m29s
cnrm-system                       cnrm-deletiondefender-0                                    1/1     Running   0              5d3h
cnrm-system                       cnrm-resource-stats-recorder-88bfdfd56-kqdq2               2/2     Running   0              5d3h
cnrm-system                       cnrm-unmanaged-detector-0                                  1/1     Running   0              5d3h
cnrm-system                       cnrm-webhook-manager-54c8477885-cr54f                      1/1     Running   0              5d3h
cnrm-system                       cnrm-webhook-manager-54c8477885-plgkd                      1/1     Running   0              4m36s
cnrm-system                       cnrm-webhook-manager-54c8477885-ssldj                      1/1     Running   0              5d3h
config-management-monitoring      otel-collector-865b4f4968-l89bt                            1/1     Running   0              5d3h
config-management-system          config-management-operator-5db59f7f8f-5fb4p                1/1     Running   0              5d3h
config-management-system          reconciler-manager-5cddc57f5-bxc86                         2/2     Running   0              5d3h
configconnector-operator-system   configconnector-operator-0                                 1/1     Running   0              5d3h
gatekeeper-system                 gatekeeper-audit-6d686f5467-zlwzr                          1/1     Running   0              5d3h
gatekeeper-system                 gatekeeper-controller-manager-6b47854cf5-nsmzs             1/1     Running   0              5d3h
gke-gmp-system                    alertmanager-0                                             2/2     Running   2 (11d ago)    11d
gke-gmp-system                    collector-bb4st                                            2/2     Running   2 (11d ago)    11d
gke-gmp-system                    collector-h4j24                                            2/2     Running   1 (11d ago)    11d
gke-gmp-system                    collector-szhxn                                            2/2     Running   2 (11d ago)    11d
gke-gmp-system                    gmp-operator-7645bc584f-5d8gf                              1/1     Running   0              30h
gke-gmp-system                    rule-evaluator-767c5ccc99-7mbnt                            2/2     Running   2 (11d ago)    11d
krmapihosting-monitoring          krmapihosting-metrics-agent-55glj                          1/1     Running   0              11d
krmapihosting-monitoring          krmapihosting-metrics-agent-9nlw9                          1/1     Running   0              11d
krmapihosting-monitoring          krmapihosting-metrics-agent-d8xm9                          1/1     Running   0              11d
krmapihosting-system              bootstrap-5d5578f758-sh76w                                 1/1     Running   0              5d3h
kube-system                       anetd-cg6g9                                                1/1     Running   0              11d
kube-system                       anetd-f2gpt                                                1/1     Running   0              11d
kube-system                       anetd-r7gr2                                                1/1     Running   0              11d
kube-system                       antrea-controller-horizontal-autoscaler-7b69d9bfd7-rqq8r   1/1     Running   0              11d
kube-system                       egress-nat-controller-98648bc69-fm8nk                      1/1     Running   0              11d
kube-system                       event-exporter-gke-7bf6c99dcb-c5dd9                        2/2     Running   0              11d
kube-system                       filestore-node-4p9cx                                       3/3     Running   0              11d
kube-system                       filestore-node-5jlfv                                       3/3     Running   0              11d
kube-system                       filestore-node-74pm4                                       3/3     Running   1 (7d6h ago)   11d
kube-system                       fluentbit-gke-big-6hsk5                                    2/2     Running   0              11d
kube-system                       fluentbit-gke-big-sxkh2                                    2/2     Running   0              11d
kube-system                       fluentbit-gke-big-vm26j                                    2/2     Running   0              11d
kube-system                       gcsfusecsi-node-7k76l                                      2/2     Running   0              11d
kube-system                       gcsfusecsi-node-j8r4b                                      2/2     Running   0              11d
kube-system                       gcsfusecsi-node-sq62q                                      2/2     Running   0              11d
kube-system                       gke-metadata-server-btb9x                                  1/1     Running   0              30h
kube-system                       gke-metadata-server-l447p                                  1/1     Running   0              30h
kube-system                       gke-metadata-server-w7brs                                  1/1     Running   0              30h
kube-system                       gke-metrics-agent-9hvwg                                    2/2     Running   0              11d
kube-system                       gke-metrics-agent-j4xvr                                    2/2     Running   0              11d
kube-system                       gke-metrics-agent-spdl8                                    2/2     Running   0              11d
kube-system                       ip-masq-agent-cphwd                                        1/1     Running   0              11d
kube-system                       ip-masq-agent-n7nbw                                        1/1     Running   0              11d
kube-system                       ip-masq-agent-r8pvq                                        1/1     Running   0              11d
kube-system                       konnectivity-agent-5b687c8dcb-d64h7                        1/1     Running   0              5d3h
kube-system                       konnectivity-agent-5b687c8dcb-dkrth                        1/1     Running   0              11d
kube-system                       konnectivity-agent-5b687c8dcb-vgmkm                        1/1     Running   0              11d
kube-system                       konnectivity-agent-autoscaler-5d9dbcc6d8-2s5dp             1/1     Running   0              11d
kube-system                       kube-dns-865c4fb86d-k5b2c                                  4/4     Running   0              11d
kube-system                       kube-dns-865c4fb86d-skmk6                                  4/4     Running   0              11d
kube-system                       kube-dns-autoscaler-84b8db4dc7-h47j6                       1/1     Running   0              11d
kube-system                       l7-default-backend-58c4fb8884-7n45b                        1/1     Running   0              2d6h
kube-system                       metrics-server-v0.5.2-6bf74b5d5f-fknxl                     2/2     Running   0              11d
kube-system                       netd-dtqvj                                                 1/1     Running   0              11d
kube-system                       netd-l5wgc                                                 1/1     Running   0              11d
kube-system                       netd-nhgl9                                                 1/1     Running   0              11d
kube-system                       node-local-dns-5wzzk                                       1/1     Running   0              11d
kube-system                       node-local-dns-bxqzh                                       1/1     Running   0              11d
kube-system                       node-local-dns-fkfln                                       1/1     Running   0              11d
kube-system                       pdcsi-node-h8jzw                                           2/2     Running   0              9d
kube-system                       pdcsi-node-hl6m6                                           2/2     Running   0              9d
kube-system                       pdcsi-node-sxfns                                           2/2     Running   0              9d
resource-group-system             resource-group-controller-manager-5594cd7b8-l87bc          2/2     Running   0              5d3h
obriensystems commented 1 year ago

just 1 org policy has an issue missed a setters.yaml var under:organizations/ORGANIZATION_ID]


  allowed-vpc-peering: |
    - "under:organizations/15..."

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kpt live status core-landing-zone
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/audits is Current: Resource is Current
inventory-85852139/project.resourcemanager.cnrm.cloud.google.com/projects/logging-project-kls is Current: Resource is Current
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/clients is Current: Resource is Current
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/services is Current: Resource is Current
inventory-85852139/project.resourcemanager.cnrm.cloud.google.com/projects/dns-project-kls is Current: Resource is Current
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/services-infrastructure is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-require-shielded-vm-except-mgt-project is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-cloudbilling is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-cloudresourcemanager is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-serviceusage is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-accesscontextmanager is Current: Resource is Current
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/gatekeeper-admin-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/gatekeeper-admin-sa-metric-writer-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/gatekeeper-admin-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/gatekeeper-system/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/hierarchy-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/hierarchy-sa-folderadmin-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/hierarchy-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//hierarchy is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/hierarchy/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-hierarchy-resource-reference-from-projects is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-hierarchy-resource-reference-from-policies is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-hierarchy-resource-reference-from-config-control is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-folders-resource-reference-to-logging is Current: Resource is current
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/logging-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/logging-sa-logadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/logging-sa-bigqueryadmin-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/logging-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//logging is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/logging/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/rolebinding.rbac.authorization.k8s.io/logging/allow-logging-resource-reference-from-projects is Current: Resource is current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/config-control-sa-orgroleadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/config-control-sa-management-project-editor-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/config-control-sa-management-project-serviceaccountadmin-permissions is Current: Resource is Current
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/networking-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-networkadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-security-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-dns-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-service-control-org-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-xpnadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-servicedirectoryeditor-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/networking-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//networking is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/networking/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/policies-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/policies-sa-orgpolicyadmin-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/policies-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//policies is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/policies/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/projects-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectiamadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectcreator-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectmover-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectdeleter-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-serviceusageadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-billinguser-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/projects-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//projects is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/projects/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/rolebinding.rbac.authorization.k8s.io/projects/allow-projects-resource-reference-from-logging is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/projects/allow-projects-resource-reference-from-networking is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/projects/allow-projects-resource-reference-from-policies is Current: Resource is current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/gke-firewall-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier2-dnsrecord-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier2-vpcpeering-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier3-dnsrecord-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier3-firewallrule-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier3-vpcsc-admin is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-guest-attribute-access is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-nested-virtualization is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-serial-port-access is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-vpc-external-ipv6 is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-require-os-login is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-require-shielded-vm is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-restrict-load-balancer-creation-for-types is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-restrict-shared-vpc-lien-removal is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-restrict-vpc-peering is Failed: Update call failed: error applying desired state: summary: googleapi: Error 400: One or more values is invalid.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.BadRequest",
    "fieldViolations": [
      {
        "description": "Invalid value: [under:organizations/ORGANIZATION_ID]",
        "field": "policy.list_policy.allowed_values[0]"
      }
    ]
  }
]
, badRequest
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-skip-default-network-creation is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-trusted-image-projects is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-vm-can-ip-forward is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-vm-external-ip-access is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/essentialcontacts-allowed-contact-domains is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/gcp-restrict-resource-locations is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/iam-allowed-policy-member-domains is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/iam-disable-service-account-key-creation is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/sql-restrict-public-ip is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/storage-public-access-prevention is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/storage-uniform-bucket-level-access is Current: Resource is Current

fixing

Screenshot 2023-08-14 at 16 51 18 
NAMESPACE   RESOURCE                                  ACTION        STATUS      RECONCILED  CONDITIONS                                AGE     MESSAGE                                 
            Namespace/hierarchy                       Successful    Current                 <None>                                    61m     Resource is current                     
            Namespace/logging                         Successful    Current                 <None>                                    61m     Resource is current                     
            Namespace/networking                      Successful    Current                 <None>                                    61m     Resource is current                     
            Namespace/policies                        Successful    Current                 <None>                                    61m     Resource is current                     
            Namespace/projects                        Successful    Current                 <None>                                    61m     Resource is current                     
config-con  IAMCustomRole/gke-firewall-admin          Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMCustomRole/tier2-dnsrecord-admin       Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMCustomRole/tier2-vpcpeering-admin      Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMCustomRole/tier3-dnsrecord-admin       Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMCustomRole/tier3-firewallrule-admin    Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMCustomRole/tier3-vpcsc-admin           Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPartialPolicy/gatekeeper-admin-sa-wor  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPartialPolicy/hierarchy-sa-workload-i  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPartialPolicy/logging-sa-workload-ide  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPartialPolicy/networking-sa-workload-  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPartialPolicy/policies-sa-workload-id  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPartialPolicy/projects-sa-workload-id  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/config-control-sa-manage  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/config-control-sa-orgrol  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/gatekeeper-admin-sa-metr  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/hierarchy-sa-folderadmin  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/logging-sa-bigqueryadmin  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/logging-sa-logadmin-perm  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/networking-sa-dns-permis  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/networking-sa-networkadm  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/networking-sa-security-p  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/networking-sa-service-co  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/networking-sa-servicedir  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/networking-sa-xpnadmin-p  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/policies-sa-orgpolicyadm  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/projects-sa-billinguser-  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/projects-sa-projectcreat  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/projects-sa-projectdelet  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/projects-sa-projectiamad  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/projects-sa-projectmover  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMPolicyMember/projects-sa-serviceusage  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMServiceAccount/gatekeeper-admin-sa     Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMServiceAccount/hierarchy-sa            Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMServiceAccount/logging-sa              Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMServiceAccount/networking-sa           Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMServiceAccount/policies-sa             Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  IAMServiceAccount/projects-sa             Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  Service/kcc-kls-cluster3-accesscontextma  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  Service/kcc-kls-cluster3-cloudbilling     Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  Service/kcc-kls-cluster3-cloudresourcema  Successful    Current                 Ready                                     61m     Resource is Current                     
config-con  Service/kcc-kls-cluster3-serviceusage     Successful    Current                 Ready                                     61m     Resource is Current                     
gatekeeper  ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    61m     status.healthy is true                  
hierarchy   ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    60m     status.healthy is true                  
hierarchy   RoleBinding/allow-folders-resource-refer  Successful    Current                 <None>                                    60m     Resource is current                     
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Successful    Current                 <None>                                    60m     Resource is current                     
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Successful    Current                 <None>                                    60m     Resource is current                     
hierarchy   RoleBinding/allow-hierarchy-resource-ref  Successful    Current                 <None>                                    60m     Resource is current                     
hierarchy   Folder/audits                             Successful    Current                 Ready                                     60m     Resource is Current                     
hierarchy   Folder/clients                            Successful    Current                 Ready                                     60m     Resource is Current                     
hierarchy   Folder/services                           Successful    Current                 Ready                                     60m     Resource is Current                     
hierarchy   Folder/services-infrastructure            Successful    Current                 Ready                                     60m     Resource is Current                     
logging     ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    60m     status.healthy is true                  
logging     LoggingLogBucket/platform-and-component-  Successful    Current                 Ready                                     3m      Resource is Current                     
logging     LoggingLogBucket/security-log-bucket-kls  Successful    Current                 Ready                                     3m      Resource is Current                     
logging     LoggingLogSink/logging-project-kls-secur  Successful    Current                 Ready                                     32s     Resource is Current                     
logging     LoggingLogSink/mgmt-project-cluster-disa  Successful    Current                 Ready                                     3m      Resource is Current                     
logging     LoggingLogSink/mgmt-project-cluster-plat  Successful    Current                 Ready                                     31s     Resource is Current                     
logging     LoggingLogSink/platform-and-component-se  Successful    Current                 Ready                                     31s     Resource is Current                     
logging     LoggingLogSink/platform-and-component-se  Successful    Current                 Ready                                     31s     Resource is Current                     
logging     RoleBinding/allow-logging-resource-refer  Successful    Current                 <None>                                    60m     Resource is current                     
networking  ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    60m     status.healthy is true                  
networking  DNSManagedZone/dns-project-kls-standard-  Successful    InProgress              Ready                                     32s     Update in progress                      
policies    ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    60m     status.healthy is true                  
policies    ResourceManagerPolicy/compute-disable-gu  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-disable-ne  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-disable-se  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-disable-vp  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-require-os  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-require-sh  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-require-sh  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-restrict-l  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-restrict-s  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-restrict-v  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-skip-defau  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-trusted-im  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-vm-can-ip-  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/compute-vm-externa  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/essentialcontacts-  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/gcp-restrict-resou  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/iam-allowed-policy  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/iam-disable-servic  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/sql-restrict-publi  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/storage-public-acc  Successful    Current                 Ready                                     60m     Resource is Current                     
policies    ResourceManagerPolicy/storage-uniform-bu  Successful    Current                 Ready                                     60m     Resource is Current                     
projects    ConfigConnectorContext/configconnectorco  Successful    Current                 <None>                                    60m     status.healthy is true                  
projects    IAMAuditConfig/logging-project-data-acce  Successful    Current                 Ready                                     3m      Resource is Current                     
projects    IAMPartialPolicy/mgmt-project-cluster-pl  Successful    Current                 Ready                                     3m      Resource is Current                     
projects    IAMPartialPolicy/platform-and-component-  Successful    Current                 Ready                                     3m      Resource is Current                     
projects    IAMPartialPolicy/platform-and-component-  Successful    Current                 Ready                                     3m      Resource is Current                     
projects    IAMPartialPolicy/security-log-bucket-wri  Successful    Current                 Ready                                     3m      Resource is Current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    60m     Resource is current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    60m     Resource is current                     
projects    RoleBinding/allow-projects-resource-refe  Successful    Current                 <None>                                    60m     Resource is current                     
projects    Project/dns-project-kls                   Successful    Current                 Ready                                     59m     Resource is Current                     
projects    Project/logging-project-kls               Successful    Current                 Ready                                     60m     Resource is Current                     
projects    Service/dns-project-kls-dns               Successful    Current                 Ready                                     30s     Resource is Current                     

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kpt live status core-landing-zone
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/audits is Current: Resource is Current
inventory-85852139/logginglogbucket.logging.cnrm.cloud.google.com/logging/security-log-bucket-kls is Current: Resource is Current
inventory-85852139/logginglogbucket.logging.cnrm.cloud.google.com/logging/platform-and-component-log-bucket-kls is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/projects/security-log-bucket-writer-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/projects/platform-and-component-services-log-bucket-writer-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/projects/platform-and-component-services-infra-log-bucket-writer-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/projects/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions is Current: Resource is Current
inventory-85852139/iamauditconfig.iam.cnrm.cloud.google.com/projects/logging-project-data-access-log-config is Current: Resource is Current
inventory-85852139/project.resourcemanager.cnrm.cloud.google.com/projects/logging-project-kls is Current: Resource is Current
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/clients is Current: Resource is Current
inventory-85852139/logginglogsink.logging.cnrm.cloud.google.com/logging/platform-and-component-services-log-sink is Current: Resource is Current
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/services is Current: Resource is Current
inventory-85852139/dnsmanagedzone.dns.cnrm.cloud.google.com/networking/dns-project-kls-standard-core-public-dns is Current: Resource is Current
inventory-85852139/project.resourcemanager.cnrm.cloud.google.com/projects/dns-project-kls is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/projects/dns-project-kls-dns is Current: Resource is Current
inventory-85852139/logginglogsink.logging.cnrm.cloud.google.com/logging/platform-and-component-services-infra-log-sink is Current: Resource is Current
inventory-85852139/folder.resourcemanager.cnrm.cloud.google.com/hierarchy/services-infrastructure is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-require-shielded-vm-except-mgt-project is Current: Resource is Current
inventory-85852139/logginglogsink.logging.cnrm.cloud.google.com/logging/mgmt-project-cluster-platform-and-component-log-sink is Current: Resource is Current
inventory-85852139/logginglogsink.logging.cnrm.cloud.google.com/logging/mgmt-project-cluster-disable-default-bucket is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-cloudbilling is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-cloudresourcemanager is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-serviceusage is Current: Resource is Current
inventory-85852139/service.serviceusage.cnrm.cloud.google.com/config-control/kcc-kls-cluster3-accesscontextmanager is Current: Resource is Current
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/gatekeeper-admin-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/gatekeeper-admin-sa-metric-writer-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/gatekeeper-admin-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/gatekeeper-system/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/hierarchy-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/hierarchy-sa-folderadmin-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/hierarchy-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//hierarchy is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/hierarchy/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-hierarchy-resource-reference-from-projects is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-hierarchy-resource-reference-from-policies is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-hierarchy-resource-reference-from-config-control is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/hierarchy/allow-folders-resource-reference-to-logging is Current: Resource is current
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/logging-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/logging-sa-logadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/logging-sa-bigqueryadmin-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/logging-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//logging is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/logging/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/rolebinding.rbac.authorization.k8s.io/logging/allow-logging-resource-reference-from-projects is Current: Resource is current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/config-control-sa-orgroleadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/config-control-sa-management-project-editor-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/config-control-sa-management-project-serviceaccountadmin-permissions is Current: Resource is Current
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/networking-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-networkadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-security-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-dns-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-service-control-org-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-xpnadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/networking-sa-servicedirectoryeditor-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/networking-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//networking is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/networking/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/policies-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/policies-sa-orgpolicyadmin-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/policies-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//policies is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/policies/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/iamserviceaccount.iam.cnrm.cloud.google.com/config-control/projects-sa is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectiamadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectcreator-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectmover-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-projectdeleter-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-serviceusageadmin-permissions is Current: Resource is Current
inventory-85852139/iampolicymember.iam.cnrm.cloud.google.com/config-control/projects-sa-billinguser-permissions is Current: Resource is Current
inventory-85852139/iampartialpolicy.iam.cnrm.cloud.google.com/config-control/projects-sa-workload-identity-binding is Current: Resource is Current
inventory-85852139/namespace//projects is Current: Resource is current
inventory-85852139/configconnectorcontext.core.cnrm.cloud.google.com/projects/configconnectorcontext.core.cnrm.cloud.google.com is Current: status.healthy is true
inventory-85852139/rolebinding.rbac.authorization.k8s.io/projects/allow-projects-resource-reference-from-logging is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/projects/allow-projects-resource-reference-from-networking is Current: Resource is current
inventory-85852139/rolebinding.rbac.authorization.k8s.io/projects/allow-projects-resource-reference-from-policies is Current: Resource is current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/gke-firewall-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier2-dnsrecord-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier2-vpcpeering-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier3-dnsrecord-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier3-firewallrule-admin is Current: Resource is Current
inventory-85852139/iamcustomrole.iam.cnrm.cloud.google.com/config-control/tier3-vpcsc-admin is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-guest-attribute-access is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-nested-virtualization is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-serial-port-access is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-disable-vpc-external-ipv6 is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-require-os-login is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-require-shielded-vm is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-restrict-load-balancer-creation-for-types is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-restrict-shared-vpc-lien-removal is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-restrict-vpc-peering is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-skip-default-network-creation is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-trusted-image-projects is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-vm-can-ip-forward is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/compute-vm-external-ip-access is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/essentialcontacts-allowed-contact-domains is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/gcp-restrict-resource-locations is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/iam-allowed-policy-member-domains is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/iam-disable-service-account-key-creation is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/sql-restrict-public-ip is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/storage-public-access-prevention is Current: Resource is Current
inventory-85852139/resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/policies/storage-uniform-bucket-level-access is Current: Resource is Current
inventory-85852139/logginglogsink.logging.cnrm.cloud.google.com/logging/logging-project-kls-security-sink is Current: Resource is Current
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$