search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
32 stars 28 forks source link

Add dev friendly unsecured LZ V2 package set (no org policies that block redeployment of the GKE/KCC cluster) #550

Open fmichaelobrien opened 1 year ago

fmichaelobrien commented 1 year ago

A developer needs a repeatable way to create/delete packages but also to create/delete the GKE KCC cluster Start with not deploying the gatekeeper-policies https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md#gatekeeper-policies

See for example -Re-creating the CC GKE cluster after deploying the landing-zone solution requires removal of the requireShieldedVM org policy

Documentation draft at

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/DevOps

see also

534

549

548

541

545

546

535

obriensystems commented 1 year ago

20231019 setup.sh script for kcc cluster delete/recreate and lz kpt apply/destroy in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/446#issuecomment-1771365186 under https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh

see package and kcc cluster deletion in #344

disable project liens as part of developer friendly workflow For example - before the kpt live destroy - lifecyle can reconcile - we need to pre-disable the project or delete the lien


michael@cloudshell:~/dev/pdt-oldev/obriensystems (audit-prj-id-oldv1)$ gcloud config set project net-host-prj-prod-oldv1
Updated property [core/project].
michael@cloudshell:~/dev/pdt-oldev/obriensystems (net-host-prj-prod-oldv1)$ gcloud alpha resource-manager liens list
NAME: p553611293232-lb8bec0d8-ed46-45c2-81fb-3dda344e6008
ORIGIN: xpn.googleapis.com
REASON: This lien is added to prevent the deletion of this shared VPC host project. The host project should be disabled before it is deleted.
michael@cloudshell:~/dev/pdt-oldev/obriensystems (net-host-prj-prod-oldv1)$ gcloud alpha resource-manager liens delete  p553611293232-lb8bec0d8-ed46-45c2-81fb-3dda344e6008
Deleted [liens/p553611293232-lb8bec0d8-ed46-45c2-81fb-3dda344e6008].
michael@cloudshell:~/dev/pdt-oldev/obriensystems (net-host-prj-prod-oldv1)$

michael@cloudshell:~/dev/pdt-oldev/obriensystems (net-host-prj-prod-oldv1)$ kpt live destroy landing-zone
folder.resourcemanager.cnrm.cloud.google.com/infrastructure.networking.prodnetworking reconcile successful
obriensystems commented 1 year ago

add #588 add #132

obriensystems commented 1 year ago

Actually for 1 of the 2 - the historical Shielded - we are good with the following override

michael@cloudshell:~/kcc-oi/kpt (kcc-oi-9428)$ kubectl get gcp -n policies
NAME                                                                                                         AGE     READY   STATUS     STATUS AGE
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-mgt-project   9m36s   True    UpToDate   9m8s