258/446 fortigate hub-env package: missing role yakima gke service account role - kpt render failed to set org id

obriensystems commented 9 months ago

Investigate missing yakima GKE service account role - a custom role as part of #466

see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/project/hub-env/fortigate/custom-role.yaml#L23

    cnrm.cloud.google.com/organization-id: "123456789012" # kpt-set: ${org-id}

should be replaced with

  org-id: "156483884993"

from https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/project/hub-env/README.md in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/core-landing-zone/setters.yaml#L41 but not in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/project/hub-env/setters.yaml

oot_@cloudshell:~ (kcc-kls-cluster3)$ kubectl get gcp
NAME                                                                  AGE   READY   STATUS         STATUS AGE
iamcustomrole.iam.cnrm.cloud.google.com/gke-firewall-admin            66d   True    UpToDate       66d
iamcustomrole.iam.cnrm.cloud.google.com/hub-fortigatesdnreader-role   66d   False   UpdateFailed   66d
iamcustomrole.iam.cnrm.cloud.google.com/tier2-dnsrecord-admin         66d   True    UpToDate       66d
iamcustomrole.iam.cnrm.cloud.google.com/tier2-vpcpeering-admin        66d   True    UpToDate       66d
iamcustomrole.iam.cnrm.cloud.google.com/tier3-dnsrecord-admin         66d   True    UpToDate       66d
iamcustomrole.iam.cnrm.cloud.google.com/tier3-firewallrule-admin      66d   True    UpToDate       66d
iamcustomrole.iam.cnrm.cloud.google.com/tier3-vpcsc-admin             66d   True    UpToDate       66d

NAME                                                                                       AGE   READY   STATUS     STATUS AGE
iampartialpolicy.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-workload-identity-binding   66d   True    UpToDate   66d
iampartialpolicy.iam.cnrm.cloud.google.com/hierarchy-sa-workload-identity-binding          66d   True    UpToDate   66d
iampartialpolicy.iam.cnrm.cloud.google.com/logging-sa-workload-identity-binding            66d   True    UpToDate   66d
iampartialpolicy.iam.cnrm.cloud.google.com/networking-sa-workload-identity-binding         66d   True    UpToDate   66d
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding           66d   True    UpToDate   66d
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding           66d   True    UpToDate   66d

NAME                                                                                                             AGE   READY   STATUS         STATUS AGE
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions                66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions   66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-orgroleadmin-permissions                             66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions                          66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions                                   66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/hub-admin-computeinstanceadmin-permissions                             66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/hub-admin-iaptunnelresourceaccessor-permissions                        66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-bigqueryadmin-permissions                                   66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions                                        66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-computeinstanceadmin-permissions                         66d   False   UpdateFailed   66d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions                                          66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions                                 66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-security-permissions                                     66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions                          66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-serviceaccountadmin-permissions                          66d   False   UpdateFailed   66d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-serviceaccountuser-permissions                           66d   False   UpdateFailed   66d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions                       66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions                                     66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions                                 66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions                                    66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions                                 66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions                                 66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions                                66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions                                   66d   True    UpToDate       66d
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions                              66d   True    UpToDate       66d

NAME                                                              AGE   READY   STATUS     STATUS AGE
iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa   66d   True    UpToDate   66d
iamserviceaccount.iam.cnrm.cloud.google.com/hierarchy-sa          66d   True    UpToDate   66d
iamserviceaccount.iam.cnrm.cloud.google.com/logging-sa            66d   True    UpToDate   66d
iamserviceaccount.iam.cnrm.cloud.google.com/networking-sa         66d   True    UpToDate   66d
iamserviceaccount.iam.cnrm.cloud.google.com/policies-sa           66d   True    UpToDate   66d
iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa           66d   True    UpToDate   66d

NAME                                                                               AGE   READY   STATUS     STATUS AGE
service.serviceusage.cnrm.cloud.google.com/kcc-kls-cluster3-accesscontextmanager   66d   True    UpToDate   66d
service.serviceusage.cnrm.cloud.google.com/kcc-kls-cluster3-cloudbilling           66d   True    UpToDate   66d
service.serviceusage.cnrm.cloud.google.com/kcc-kls-cluster3-cloudresourcemanager   66d   True    UpToDate   66d
service.serviceusage.cnrm.cloud.google.com/kcc-kls-cluster3-serviceusage           66d   True    UpToDate   66d
root_@cloudshell:~ (kcc-kls-cluster3)$ kubectl describe iamcustomrole.iam.cnrm.cloud.google.com/hub-fortigatesdnreader-role
Name:         hub-fortigatesdnreader-role
Namespace:    config-control
Labels:       <none>
Annotations:  cnrm.cloud.google.com/blueprint: kpt-pkg-fn-live
              cnrm.cloud.google.com/deletion-policy: abandon
              cnrm.cloud.google.com/management-conflict-prevention-policy: none
              cnrm.cloud.google.com/organization-id: 123456789012
              cnrm.cloud.google.com/state-into-spec: merge
              config.k8s.io/owning-inventory: abfad438df75719484ab97c58408cf033b706bf4-1692064998262569676
              config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/dmu-admin1-hub-kls
              internal.kpt.dev/upstream-identifier: iam.cnrm.cloud.google.com|IAMCustomRole|config-control|hub-fortigatesdnreader-role
API Version:  iam.cnrm.cloud.google.com/v1beta1
Kind:         IAMCustomRole
Metadata:
  Creation Timestamp:  2023-08-15T02:26:01Z
  Generation:          1
  Resource Version:    12660918
  UID:                 b43d3165-aad7-4e21-86bc-0a43fcd385b2
Spec:
  Permissions:
    container.nodes.list
    container.pods.list
    container.services.list
    compute.instances.list
    compute.zones.list
    container.clusters.list
  Resource ID:  FortigateSdnViewer
  Title:        FortiGate SDN Connector Role (read-only)
Status:
  Conditions:
    Last Transition Time:  2023-08-15T02:26:01Z
    Message:               Update call failed: error fetching live state: error reading underlying resource: summary: Error when reading or editing organizations/123456789012/roles/FortigateSdnViewer: googleapi: Error 403: You don't have permission to get the role at organizations/123456789012/roles/FortigateSdnViewer.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "iam.googleapis.com",
    "metadata": {
      "permission": "iam.roles.get",
      "resource": "organizations/123456789012/roles/FortigateSdnViewer"
    },
    "reason": "IAM_PERMISSION_DENIED"
  }
]
, forbidden
    Reason:             UpdateFailed
    Status:             False
    Type:               Ready
  Observed Generation:  1
Events:
  Type     Reason        Age                    From                      Message
  ----     ------        ----                   ----                      -------
  Warning  UpdateFailed  57s (x136 over 4h21m)  iamcustomrole-controller  Update call failed: error fetching live state: error reading underlying resource: summary: Error when reading or editing organizations/123456789012/roles/FortigateSdnViewer: googleapi: Error 403: You don't have permission to get the role at organizations/123456789012/roles/FortigateSdnViewer.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "iam.googleapis.com",
    "metadata": {
      "permission": "iam.roles.get",
      "resource": "organizations/123456789012/roles/FortigateSdnViewer"
    },
    "reason": "IAM_PERMISSION_DENIED"
  }
]
, forbidden

I have the hub/setters.yaml set correctly - rechecking the fn apply process and/or adjust manually

obriensystems commented 9 months ago

testing fix setters.yaml

kind: ConfigMap
metadata: # kpt-merge: /setters
  name: setters
  annotations:
    config.kubernetes.io/local-config: "true"
    internal.kpt.dev/upstream-identifier: '|ConfigMap|default|setters'
data:
+  org-id: "156483884993"

add to setters at the root of the package

re-render

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kpt fn render hub-env
Package "hub-env": 
[RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2"
[PASS] "gcr.io/kpt-fn/apply-setters:v0.2" in 2s
  Results:
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "dmu-admin1-hub-kls"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "dmu-admin1-hub-kls"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "dmu-admin1-hub-kls"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "dmu-admin1-hub-kls"
    ...(105 line(s) truncated, use '--truncate-output=false' to disable)
[RUNNING] "gcr.io/kpt-fn/search-replace:v0.2.0"
[PASS] "gcr.io/kpt-fn/search-replace:v0.2.0" in 1.8s
  Results:
    [info]: no matches

Successfully executed 2 function(s) in 1 package(s).
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ ls hub-env/
CHANGELOG.md  fortigates.md  network       project-iam.yaml  README.md           samples                     securitycontrols.md  setters.yaml
fortigate     Kptfile        org-policies  project.yaml      resourcegroup.yaml  search-replace-config.yaml  services.yaml

kind: IAMCustomRole
metadata: # kpt-merge: config-control/hub-fortigatesdnreader-role
  name: hub-fortigatesdnreader-role
  namespace: config-control
  annotations:
    cnrm.cloud.google.com/organization-id: "156483884993" # kpt-set: ${org-id}

fmichaelobrien commented 9 months ago

next next ones https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/599 https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/608 https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/607

GoogleCloudPlatform / pubsec-declarative-toolkit

258/446 fortigate hub-env package: missing role yakima gke service account role - kpt render failed to set org id #573