search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
31 stars 28 forks source link

Regression: main:post-v0.3.2 core-landing-zone deployment errors in kpt live plan - last clean deploy checked 20230814 #584

Open obriensystems opened 1 year ago

obriensystems commented 1 year ago

main branch Related to #586 Automation: https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh#L236

michael@cloudshell:~/kcc-oi/github/pubsec-declarative-toolkit/solutions (kcc-oi-629)$ kpt alpha live plan core-landing-zone
error: 12 errors:
- invalid object: "logging_security-log-bucket_logging.cnrm.cloud.google.com_LoggingLogBucket": invalid "config.kubernetes.io/depends-on" annotation: external dependency: logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/security-log-bucket -> resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
- invalid object: "logging_platform-and-component-log-bucket_logging.cnrm.cloud.google.com_LoggingLogBucket": invalid "config.kubernetes.io/depends-on" annotation: external dependency: logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-log-bucket -> resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
- invalid object: "projects_security-log-bucket-writer-permissions_iam.cnrm.cloud.google.com_IAMPartialPolicy": invalid "config.kubernetes.io/depends-on" annotation: external dependency: iam.cnrm.cloud.google.com/namespaces/projects/IAMPartialPolicy/security-log-bucket-writer-permissions -> resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
- invalid object: "projects_platform-and-component-services-log-bucket-writer-permissions_iam.cnrm.cloud.google.com_IAMPartialPolicy": invalid "config.kubernetes.io/depends-on" annotation: external dependency: iam.cnrm.cloud.google.com/namespaces/projects/IAMPartialPolicy/platform-and-component-services-log-bucket-writer-permissions -> resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
- invalid object: "projects_platform-and-component-services-infra-log-bucket-writer-permissions_iam.cnrm.cloud.google.com_IAMPartialPolicy": invalid "config.kubernetes.io/depends-on" annotation: external dependency: iam.cnrm.cloud.google.com/namespaces/projects/IAMPartialPolicy/platform-and-component-services-infra-log-bucket-writer-permissions -> resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
- invalid object: "projects_mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions_iam.cnrm.cloud.google.com_IAMPartialPolicy": invalid "config.kubernetes.io/depends-on" annotation: external dependency: iam.cnrm.cloud.google.com/namespaces/projects/IAMPartialPolicy/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions -> resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
- invalid object: "projects_logging-project-data-access-log-config_iam.cnrm.cloud.google.com_IAMAuditConfig": invalid "config.kubernetes.io/depends-on" annotation: external dependency: iam.cnrm.cloud.google.com/namespaces/projects/IAMAuditConfig/logging-project-data-access-log-config -> resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
- invalid object: "logging_platform-and-component-services-log-sink_logging.cnrm.cloud.google.com_LoggingLogSink": invalid "config.kubernetes.io/depends-on" annotation: failed to parse object reference (index: 0): expected 3 or 5 fields, found 1: "platform-and-component-log-bucket"
- invalid object: "logging_platform-and-component-services-infra-log-sink_logging.cnrm.cloud.google.com_LoggingLogSink": invalid "config.kubernetes.io/depends-on" annotation: failed to parse object reference (index: 0): expected 3 or 5 fields, found 1: "platform-and-component-log-bucket"
- invalid object: "logging_mgmt-project-cluster-platform-and-component-log-sink_logging.cnrm.cloud.google.com_LoggingLogSink": invalid "config.kubernetes.io/depends-on" annotation: failed to parse object reference (index: 0): expected 3 or 5 fields, found 1: "platform-and-component-log-bucket"
- invalid object: "logging_mgmt-project-cluster-disable-default-bucket_logging.cnrm.cloud.google.com_LoggingLogSink": invalid "config.kubernetes.io/depends-on" annotation: external dependency: logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogSink/mgmt-project-cluster-disable-default-bucket -> resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/${logging-project-id}
- invalid object: "logging_logging-project-id-security-sink_logging.cnrm.cloud.google.com_LoggingLogSink": invalid "config.kubernetes.io/depends-on" annotation: failed to parse object reference (index: 0): expected 3 or 5 fields, found 1: "security-log-bucket"

using
  kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/core-landing-zone@main 
  # cp the setters.yaml
  cp ../github/pubsec-declarative-toolkit/solutions/core-landing-zone/setters.yaml core-landing-zone/ 
  #cp pubsec-declarative-toolkit/solutions/landing-zone/.krmignore landing-zone/ 

  echo "kpt live init"
  kpt live init core-landing-zone --namespace config-control --force
  echo "kpt fn render"
  kpt fn render core-landing-zone --truncate-output=false
  echo "kpt live apply"
  kpt live apply core-landing-zone --reconcile-timeout=5m --output=table

from

446

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh#L236

obriensystems commented 1 year ago

retesting last release - not main

michael@cloudshell:~/kcc-oi/github/pubsec-declarative-toolkit/solutions (kcc-oi-629)$ ./setup.sh -b kcc-oi -u oi -n false -c false -l true -r false -d false -j false -p kcc-oi-629
existing project: kcc-oi-629
Date: Sat 21 Oct 2023 02:54:58 PM UTC
Timestamp: 1697900098
running with: -b kcc-oi -u oi -c false -l true -r false -d false -p kcc-oi-629
Updated property [core/project].
Switched back to boot project kcc-oi
Start: 1697900099
unique string: oi
REGION: northamerica-northeast1
NETWORK: kcc-ls-vpc
SUBNET: kcc-ls-sn
CLUSTER: kcc-oi3
Reusing project: kcc-oi-629
CC_PROJECT_ID: kcc-oi-629
BOOT_PROJECT_ID: kcc-oi
BILLING_ID: 014479-806359-2F5F85
ORG_ID: 459065442144
Switching to KCC project kcc-oi-629
Updated property [core/project].
Context "gke_kcc-oi-629_northamerica-northeast1_krmapihost-kcc-oi3" modified.
Active namespace is "config-control".
deploying core-landing-zone
get kpt release package solutions/core-landing-zone version 0.3.2
Package "core-landing-zone":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@0.3.2
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
 * tag               solutions/core-landing-zone/0.3.2 -> FETCH_HEAD
Adding package "solutions/core-landing-zone".

Fetched 1 package(s).
kpt live init
initializing "resourcegroup.yaml" data (namespace: config-control)...success
kpt fn render
Package "core-landing-zone": 
[RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2"
[PASS] "gcr.io/kpt-fn/apply-setters:v0.2" in 1.5s
  Results:
    [info] spec.folderRef.external: set field value to "96269513997"
    [info] metadata.name: set field value to "security-log-bucket-oi"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi"
    [info] spec.projectRef.name: set field value to "logging-project-oi"
    [info] spec.locked: set field value to "false"
    [info] spec.retentionDays: set field value to "1"
    [info] metadata.name: set field value to "platform-and-component-log-bucket-oi"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi"
    [info] spec.projectRef.name: set field value to "logging-project-oi"
    [info] spec.locked: set field value to "false"
    [info] spec.retentionDays: set field value to "1"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi"
    [info] spec.resourceRef.name: set field value to "logging-project-oi"
    [info] spec.bindings[0].members[0].memberFrom.logSinkRef.name: set field value to "logging-project-oi-security-sink"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi"
    [info] spec.resourceRef.name: set field value to "logging-project-oi"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi"
    [info] spec.resourceRef.name: set field value to "logging-project-oi"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi"
    [info] spec.resourceRef.name: set field value to "logging-project-oi"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi"
    [info] spec.resourceRef.name: set field value to "logging-project-oi"
    [info] metadata.name: set field value to "logging-project-oi"
    [info] spec.name: set field value to "logging-project-oi"
    [info] spec.billingAccountRef.external: set field value to "014479-806359-2F5F85"
    [info] spec.folderRef.external: set field value to "96269513997"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-log-bucket-oi"
    [info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-oi/locations/northamerica-northeast1/buckets/platform-and-component-log-bucket-oi"
    [info] spec.folderRef.external: set field value to "96269513997"
    [info] metadata.name: set field value to "dns-project-oi-standard-core-public-dns"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "dns-project-oi"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/dns-project-oi"
    [info] spec.dnsName: set field value to "obrien.industries."
    [info] metadata.name: set field value to "dns-project-oi"
    [info] spec.name: set field value to "dns-project-oi"
    [info] spec.billingAccountRef.external: set field value to "014479-806359-2F5F85"
    [info] metadata.name: set field value to "dns-project-oi-dns"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "dns-project-oi"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/dns-project-oi"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-log-bucket-oi"
    [info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-oi/locations/northamerica-northeast1/buckets/platform-and-component-log-bucket-oi"
    [info] spec.folderRef.external: set field value to "96269513997"
    [info] spec.projectRef.external: set field value to "kcc-oi-629"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-log-bucket-oi"
    [info] spec.projectRef.external: set field value to "kcc-oi-629"
    [info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-oi/locations/northamerica-northeast1/buckets/platform-and-component-log-bucket-oi"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi"
    [info] spec.projectRef.external: set field value to "kcc-oi-629"
    [info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-oi/locations/northamerica-northeast1/buckets/_Default"
    [info] metadata.name: set field value to "kcc-oi-629-cloudbilling"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] metadata.name: set field value to "kcc-oi-629-cloudresourcemanager"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] metadata.name: set field value to "kcc-oi-629-serviceusage"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] metadata.name: set field value to "kcc-oi-629-accesscontextmanager"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "kcc-oi-629"
    [info] spec.member: set field value to "serviceAccount:gatekeeper-admin-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-oi-629.svc.id.goog[gatekeeper-system/gatekeeper-admin]"
    [info] spec.googleServiceAccount: set field value to "gatekeeper-admin-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "96269513997"
    [info] spec.member: set field value to "serviceAccount:hierarchy-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-oi-629.svc.id.goog[cnrm-system/cnrm-controller-manager-hierarchy]"
    [info] spec.googleServiceAccount: set field value to "hierarchy-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "459065442144"
    [info] spec.member: set field value to "serviceAccount:logging-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "96269513997"
    [info] spec.member: set field value to "serviceAccount:logging-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-oi-629.svc.id.goog[cnrm-system/cnrm-controller-manager-logging]"
    [info] spec.googleServiceAccount: set field value to "logging-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "459065442144"
    [info] spec.member: set field value to "serviceAccount:service-1020702930278@gcp-sa-yakima.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "kcc-oi-629"
    [info] spec.member: set field value to "serviceAccount:service-1020702930278@gcp-sa-yakima.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "kcc-oi-629"
    [info] spec.member: set field value to "serviceAccount:service-1020702930278@gcp-sa-yakima.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "96269513997"
    [info] spec.member: set field value to "serviceAccount:networking-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "96269513997"
    [info] spec.member: set field value to "serviceAccount:networking-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "96269513997"
    [info] spec.member: set field value to "serviceAccount:networking-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "459065442144"
    [info] spec.member: set field value to "serviceAccount:networking-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "459065442144"
    [info] spec.member: set field value to "serviceAccount:networking-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "96269513997"
    [info] spec.member: set field value to "serviceAccount:networking-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-oi-629.svc.id.goog[cnrm-system/cnrm-controller-manager-networking]"
    [info] spec.googleServiceAccount: set field value to "networking-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "459065442144"
    [info] spec.member: set field value to "serviceAccount:policies-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-oi-629.svc.id.goog[cnrm-system/cnrm-controller-manager-policies]"
    [info] spec.googleServiceAccount: set field value to "policies-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "96269513997"
    [info] spec.member: set field value to "serviceAccount:projects-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "96269513997"
    [info] spec.member: set field value to "serviceAccount:projects-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "96269513997"
    [info] spec.member: set field value to "serviceAccount:projects-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "96269513997"
    [info] spec.member: set field value to "serviceAccount:projects-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "96269513997"
    [info] spec.member: set field value to "serviceAccount:projects-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.resourceRef.external: set field value to "459065442144"
    [info] spec.member: set field value to "serviceAccount:projects-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-629"
    [info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-oi-629.svc.id.goog[cnrm-system/cnrm-controller-manager-projects]"
    [info] spec.googleServiceAccount: set field value to "projects-sa@kcc-oi-629.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.listPolicy.allow.values: set field value to "- \"under:organizations/459065442144\"\n"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.listPolicy.allow.values: set field value to "- \"projects/cos-cloud\"\n"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.listPolicy.allow.values: set field value to "- \"@obrien.industries\"\n"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.listPolicy.allow.values: set field value to "- \"C03kdhrkc\"\n"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] metadata.name: set field value to "logging-project-oi-security-sink"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/security-log-bucket-oi"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-oi/locations/northamerica-northeast1/buckets/security-log-bucket-oi"

Successfully executed 1 function(s) in 1 package(s).
kpt live apply
installing inventory ResourceGroup CRD.
inventory update started
inventory update finished
apply phase started
namespace/hierarchy apply successful
namespace/logging apply successful
namespace/networking apply successful
namespace/policies apply successful
namespace/projects apply successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com apply successful
iamcustomrole.iam.cnrm.cloud.google.com/gke-firewall-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier2-dnsrecord-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier2-vpcpeering-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-dnsrecord-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-firewallrule-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-subnetwork-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-vpcsc-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier4-secretmanager-admin apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-workload-identity-binding apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/hierarchy-sa-workload-identity-binding apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/logging-sa-workload-identity-binding apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/networking-sa-workload-identity-binding apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding apply successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-orgroleadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-bigqueryadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-security-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions apply successful
iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa apply successful
iamserviceaccount.iam.cnrm.cloud.google.com/hierarchy-sa apply successful
iamserviceaccount.iam.cnrm.cloud.google.com/logging-sa apply successful
iamserviceaccount.iam.cnrm.cloud.google.com/networking-sa apply successful
iamserviceaccount.iam.cnrm.cloud.google.com/policies-sa apply successful
iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa apply successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-629-accesscontextmanager apply successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-629-cloudbilling apply successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-629-cloudresourcemanager apply successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-629-serviceusage apply successful
apply phase finished
reconcile phase started
namespace/hierarchy reconcile successful
namespace/logging reconcile successful
namespace/networking reconcile successful
namespace/policies reconcile successful
namespace/projects reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/gke-firewall-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier2-dnsrecord-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier2-vpcpeering-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-dnsrecord-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-firewallrule-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-subnetwork-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-vpcsc-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier4-secretmanager-admin reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-workload-identity-binding reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/hierarchy-sa-workload-identity-binding reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/logging-sa-workload-identity-binding reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/networking-sa-workload-identity-binding reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-orgroleadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-bigqueryadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-security-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions reconcile pending
iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/hierarchy-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/logging-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/networking-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/policies-sa reconcile pending
iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa reconcile pending
service.serviceusage.cnrm.cloud.google.com/kcc-oi-629-accesscontextmanager reconcile pending
service.serviceusage.cnrm.cloud.google.com/kcc-oi-629-cloudbilling reconcile pending
service.serviceusage.cnrm.cloud.google.com/kcc-oi-629-cloudresourcemanager reconcile pending
service.serviceusage.cnrm.cloud.google.com/kcc-oi-629-serviceusage reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions reconcile failed
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions reconcile failed
iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding reconcile successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-629-accesscontextmanager reconcile successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-629-cloudbilling reconcile successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-629-serviceusage reconcile successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-629-cloudresourcemanager reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions reconcile failed
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-bigqueryadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions reconcile successful

iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/policies-sa reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding reconcile successful
reconcile phase finished
apply phase started
rolebinding.rbac.authorization.k8s.io/allow-folders-resource-reference-to-logging apply successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-config-control apply successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-policies apply successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-projects apply successful
rolebinding.rbac.authorization.k8s.io/allow-logging-resource-reference-from-projects apply successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-logging apply successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-networking apply successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-policies apply successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com apply successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com apply successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com apply successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com apply successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com apply successful
folder.resourcemanager.cnrm.cloud.google.com/audits apply successful
folder.resourcemanager.cnrm.cloud.google.com/clients apply successful
folder.resourcemanager.cnrm.cloud.google.com/services apply successful
folder.resourcemanager.cnrm.cloud.google.com/services-infrastructure apply successful
project.resourcemanager.cnrm.cloud.google.com/logging-project-oi apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-guest-attribute-access apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-nested-virtualization apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-access apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-vpc-external-ipv6 apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-os-login apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-mgt-project apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-load-balancer-creation-for-types apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-shared-vpc-lien-removal apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-vpc-peering apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-skip-default-network-creation apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-trusted-image-projects apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-vm-can-ip-forward apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-vm-external-ip-access apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/essentialcontacts-allowed-contact-domains apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/gcp-restrict-resource-locations apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-allowed-policy-member-domains apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-disable-service-account-key-creation apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/sql-restrict-public-ip apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-public-access-prevention apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-uniform-bucket-level-access apply successful
apply phase finished
reconcile phase started
rolebinding.rbac.authorization.k8s.io/allow-folders-resource-reference-to-logging reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-config-control reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-policies reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-projects reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-logging-resource-reference-from-projects reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-logging reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-networking reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-policies reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/audits reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/clients reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/services reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/services-infrastructure reconcile pending
project.resourcemanager.cnrm.cloud.google.com/logging-project-oi reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-guest-attribute-access reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-nested-virtualization reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-access reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-vpc-external-ipv6 reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-os-login reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-mgt-project reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-load-balancer-creation-for-types reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-shared-vpc-lien-removal reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-vpc-peering reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-skip-default-network-creation reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-trusted-image-projects reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-vm-can-ip-forward reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-vm-external-ip-access reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/essentialcontacts-allowed-contact-domains reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/gcp-restrict-resource-locations reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-allowed-policy-member-domains reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-disable-service-account-key-creation reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/sql-restrict-public-ip reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-public-access-prevention reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-uniform-bucket-level-access reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-os-login reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-vpc-external-ipv6 reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-vm-can-ip-forward reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/sql-restrict-public-ip reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-access reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-nested-virtualization reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-vpc-peering reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-mgt-project reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-vm-external-ip-access reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/essentialcontacts-allowed-contact-domains reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-shared-vpc-lien-removal reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-guest-attribute-access reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-disable-service-account-key-creation reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-public-access-prevention reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-skip-default-network-creation reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-allowed-policy-member-domains reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-load-balancer-creation-for-types reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/gcp-restrict-resource-locations reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-trusted-image-projects reconcile failed
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-uniform-bucket-level-access reconcile failed
folder.resourcemanager.cnrm.cloud.google.com/clients reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/services reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/audits reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/services-infrastructure reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-vpc-external-ipv6 reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-os-login reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-nested-virtualization reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-access reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-vm-can-ip-forward reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/sql-restrict-public-ip reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-vpc-peering reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/essentialcontacts-allowed-contact-domains reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-vm-external-ip-access reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-mgt-project reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-shared-vpc-lien-removal reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-guest-attribute-access reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-skip-default-network-creation reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-vpc-external-ipv6 reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-allowed-policy-member-domains reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-os-login reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-disable-service-account-key-creation reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-public-access-prevention reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-load-balancer-creation-for-types reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-nested-virtualization reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-access reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/gcp-restrict-resource-locations reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-vm-can-ip-forward reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/sql-restrict-public-ip reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-vpc-peering reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/essentialcontacts-allowed-contact-domains reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-shared-vpc-lien-removal reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-mgt-project reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-vm-external-ip-access reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-guest-attribute-access reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-skip-default-network-creation reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-allowed-policy-member-domains reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-public-access-prevention reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-disable-service-account-key-creation reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-uniform-bucket-level-access reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-load-balancer-creation-for-types reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/gcp-restrict-resource-locations reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-trusted-image-projects reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-uniform-bucket-level-access reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-trusted-image-projects reconcile successful
project.resourcemanager.cnrm.cloud.google.com/logging-project-oi reconcile successful
reconcile phase finished
apply phase started
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-infra-log-bucket-writer-permissions apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-log-bucket-writer-permissions apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions apply successful
logginglogbucket.logging.cnrm.cloud.google.com/platform-and-component-log-bucket-oi apply successful
logginglogbucket.logging.cnrm.cloud.google.com/security-log-bucket-oi apply successful
logginglogsink.logging.cnrm.cloud.google.com/mgmt-project-cluster-disable-default-bucket apply successful
project.resourcemanager.cnrm.cloud.google.com/dns-project-oi apply successful
apply phase finished
reconcile phase started
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-infra-log-bucket-writer-permissions reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-log-bucket-writer-permissions reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions reconcile pending
logginglogbucket.logging.cnrm.cloud.google.com/platform-and-component-log-bucket-oi reconcile pending
logginglogbucket.logging.cnrm.cloud.google.com/security-log-bucket-oi reconcile pending
logginglogsink.logging.cnrm.cloud.google.com/mgmt-project-cluster-disable-default-bucket reconcile pending
project.resourcemanager.cnrm.cloud.google.com/dns-project-oi reconcile pending
logginglogbucket.logging.cnrm.cloud.google.com/platform-and-component-log-bucket-oi reconcile successful
logginglogbucket.logging.cnrm.cloud.google.com/security-log-bucket-oi reconcile successful
logginglogsink.logging.cnrm.cloud.google.com/mgmt-project-cluster-disable-default-bucket reconcile successful
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config reconcile successful

raised another issue on main having https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/584

issue was main was the problem - release 0.3.2 was ok for the clz package solutions/core-landing-zone/0.3.2 -> FETCH_HEAD

Screenshot 2023-10-21 at 11 01 43

I can move on to getting hub-env up on the new env past the 50% status in the older 65d env where hub-env is already up

root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get gcp -n networking | grep False
computefirewall.compute.cnrm.cloud.google.com/hub-allow-fortigates-ha-fwr                          67d   False   DependencyNotFound   67d
computefirewall.compute.cnrm.cloud.google.com/hub-allow-spokes-to-fortigates-fwr                   67d   False   DependencyNotFound   67d
computefirewall.compute.cnrm.cloud.google.com/hub-elb-allow-health-checks-to-fortigate-fwr         67d   False   DependencyNotFound   67d
computefirewall.compute.cnrm.cloud.google.com/hub-iap-allow-rdp-to-managementvm-fwr                67d   False   DependencyNotFound   67d
computefirewall.compute.cnrm.cloud.google.com/hub-ilb-allow-health-checks-to-fortigate-fwr         67d   False   DependencyNotFound   67d
computefirewall.compute.cnrm.cloud.google.com/hub-managementvm-allow-ssh-https-to-fortigates-fwr   67d   False   DependencyNotFound   67d
computeinstance.compute.cnrm.cloud.google.com/hub-fgt-primary-instance     67d   False   DependencyNotFound   67d
computeinstance.compute.cnrm.cloud.google.com/hub-fgt-secondary-instance   67d   False   DependencyNotFound   67d
computeinstance.compute.cnrm.cloud.google.com/hub-management-instance      67d   False   DependencyNotFound   67d
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get gcp -n projects | grep False
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get gcp -n policies | grep False
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get gcp -n hierarchy | grep False
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get gcp -n logging | grep False
obriensystems commented 1 year ago

reran a clean install on a clean org using the script in this is v0.3.2 not main https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh

446

generated setters version https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/446#issuecomment-1774085821 results

root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubens config-control
Context "gke_kcc-boot-ls-8704_northamerica-northeast1_krmapihost-kcc-oi4" modified.
Active namespace is "config-control".
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get gcp
NAME                                                                AGE   READY   STATUS     STATUS AGE
iamcustomrole.iam.cnrm.cloud.google.com/gke-firewall-admin          31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier2-dnsrecord-admin       31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier2-vpcpeering-admin      31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier3-dnsrecord-admin       31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier3-firewallrule-admin    31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier3-subnetwork-admin      31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier3-vpcsc-admin           31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier4-secretmanager-admin   31m   True    UpToDate   31m

NAME                                                                                       AGE   READY   STATUS     STATUS AGE
iampartialpolicy.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-workload-identity-binding   31m   True    UpToDate   31m
iampartialpolicy.iam.cnrm.cloud.google.com/hierarchy-sa-workload-identity-binding          31m   True    UpToDate   31m
iampartialpolicy.iam.cnrm.cloud.google.com/logging-sa-workload-identity-binding            31m   True    UpToDate   31m
iampartialpolicy.iam.cnrm.cloud.google.com/networking-sa-workload-identity-binding         31m   True    UpToDate   31m
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding           31m   True    UpToDate   31m
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding           31m   True    UpToDate   30m

NAME                                                                                                             AGE   READY   STATUS     STATUS AGE
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions                31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions   31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-orgroleadmin-permissions                             31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions                          31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions                                   31m   True    UpToDate   30m
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-bigqueryadmin-permissions                                   31m   True    UpToDate   30m
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions                                        31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions                                          31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions                                 31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-security-permissions                                     31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions                          31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions                       31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions                                     31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions                                 31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions                                    31m   True    UpToDate   30m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions                                 31m   True    UpToDate   29m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions                                 31m   True    UpToDate   29m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions                                31m   True    UpToDate   29m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions                                   31m   True    UpToDate   29m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions                              31m   True    UpToDate   29m

NAME                                                              AGE   READY   STATUS     STATUS AGE
iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa   31m   True    UpToDate   31m
iamserviceaccount.iam.cnrm.cloud.google.com/hierarchy-sa          31m   True    UpToDate   31m
iamserviceaccount.iam.cnrm.cloud.google.com/logging-sa            31m   True    UpToDate   31m
iamserviceaccount.iam.cnrm.cloud.google.com/networking-sa         31m   True    UpToDate   31m
iamserviceaccount.iam.cnrm.cloud.google.com/policies-sa           31m   True    UpToDate   31m
iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa           31m   True    UpToDate   30m

NAME                                                                               AGE   READY   STATUS     STATUS AGE
service.serviceusage.cnrm.cloud.google.com/kcc-boot-ls-8704-accesscontextmanager   31m   True    UpToDate   31m
service.serviceusage.cnrm.cloud.google.com/kcc-boot-ls-8704-cloudbilling           31m   True    UpToDate   31m
service.serviceusage.cnrm.cloud.google.com/kcc-boot-ls-8704-cloudresourcemanager   31m   True    UpToDate   31m
service.serviceusage.cnrm.cloud.google.com/kcc-boot-ls-8704-serviceusage           31m   True    UpToDate   31m
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get projects
No resources found in config-control namespace.
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get gcp -n projects
NAME                                                                              AGE   READY   STATUS     STATUS AGE
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config   24m   True    UpToDate   24m

NAME                                                                                                                   AGE   READY   STATUS               STATUS AGE
iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions   24m   False   DependencyNotFound   24m
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-infra-log-bucket-writer-permissions         24m   False   DependencyNotFound   24m
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-log-bucket-writer-permissions               24m   False   DependencyNotFound   24m
iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions                                      24m   False   DependencyNotFound   24m

NAME                                                                AGE   READY   STATUS     STATUS AGE
project.resourcemanager.cnrm.cloud.google.com/dns-project-ls4       24m   True    UpToDate   21m
project.resourcemanager.cnrm.cloud.google.com/logging-project-ls4   30m   True    UpToDate   24m
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get gcp -n hierarchy
NAME                                                                   AGE   READY   STATUS     STATUS AGE
folder.resourcemanager.cnrm.cloud.google.com/audits                    31m   True    UpToDate   28m
folder.resourcemanager.cnrm.cloud.google.com/clients                   31m   True    UpToDate   28m
folder.resourcemanager.cnrm.cloud.google.com/services                  31m   True    UpToDate   28m
folder.resourcemanager.cnrm.cloud.google.com/services-infrastructure   31m   True    UpToDate   28m
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get gcp -n logging
NAME                                                                                   AGE   READY   STATUS     STATUS AGE
logginglogbucket.logging.cnrm.cloud.google.com/platform-and-component-log-bucket-ls4   25m   True    UpToDate   25m
logginglogbucket.logging.cnrm.cloud.google.com/security-log-bucket-ls4                 25m   True    UpToDate   25m

NAME                                                                                       AGE   READY   STATUS     STATUS AGE
logginglogsink.logging.cnrm.cloud.google.com/mgmt-project-cluster-disable-default-bucket   25m   True    UpToDate   25m
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get gcp -n networking
No resources found in networking namespace.
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get namespaces
NAME                              STATUS   AGE
cnrm-system                       Active   53m
config-control                    Active   53m
config-management-monitoring      Active   54m
config-management-system          Active   54m
configconnector-operator-system   Active   54m
default                           Active   60m
gatekeeper-system                 Active   52m
gke-gmp-system                    Active   59m
gke-managed-filestorecsi          Active   59m
gmp-public                        Active   59m
hierarchy                         Active   33m
krmapihosting-monitoring          Active   54m
krmapihosting-system              Active   57m
kube-node-lease                   Active   60m
kube-public                       Active   60m
kube-system                       Active   60m
logging                           Active   33m
networking                        Active   33m
policies                          Active   33m
projects                          Active   33m
resource-group-system             Active   52m
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get gcp -n policies
NAME                                                                                                         AGE   READY   STATUS     STATUS AGE
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-mgt-project   32m   True    UpToDate   30m
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ 

root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl describe iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions -n projects
Name:         mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions
Namespace:    projects
Labels:       <none>
Annotations:  cnrm.cloud.google.com/blueprint: kpt-pkg-fn-live
              config.k8s.io/owning-inventory: aa4fc298b6221cdddd79610cf49717502ca36ce7-1697985197779920990
              config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-ls4
              internal.kpt.dev/upstream-identifier:
                iam.cnrm.cloud.google.com|IAMPartialPolicy|projects|mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions
API Version:  iam.cnrm.cloud.google.com/v1beta1
Kind:         IAMPartialPolicy
Metadata:
  Creation Timestamp:  2023-10-22T14:40:40Z
  Generation:          1
  Resource Version:    33727
  UID:                 fbc7777f-bea5-4cfa-a2a5-fa5ee016be01
Spec:
  Bindings:
    Members:
      Member From:
        Log Sink Ref:
          Name:       mgmt-project-cluster-platform-and-component-log-sink
          Namespace:  logging
    Role:             roles/logging.bucketWriter
  Resource Ref:
    API Version:  resourcemanager.cnrm.cloud.google.com/v1beta1
    Kind:         Project
    Name:         logging-project-ls4
    Namespace:    projects
Status:
  Conditions:
    Last Transition Time:  2023-10-22T14:40:40Z
    Message:               reference LoggingLogSink logging/mgmt-project-cluster-platform-and-component-log-sink is not found
    Reason:                DependencyNotFound
    Status:                False
    Type:                  Ready
  Observed Generation:     1
Events:
  Type     Reason              Age                  From                         Message
  ----     ------              ----                 ----                         -------
  Warning  DependencyNotFound  2m42s (x4 over 28m)  iampartialpolicy-controller  reference LoggingLogSink logging/mgmt-project-cluster-platform-and-component-log-sink is not found
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$