search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
30 stars 27 forks source link

Add single Fortigate VM partner-ready minimal extract for dev - separate from production level hub-env/fortigate package and without need for core-landing-zone #654

Open obriensystems opened 8 months ago

obriensystems commented 8 months ago

add dry run (still won't be able to test out actual GCP workflow like quota issues for example)

https://kpt.dev/reference/cli/live/apply/

--dry-run

2nd clean deploy kcc-arg-3707 2023

spawn https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/745

script in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh

Example/dev level single/quad VPC setup for partner access without having to deploy the core-landing-zone package

An extract of project/hub-env/fortigate https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/project/hub-env/fortigate

see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/gh654-fortigate-dev-vm see #258 see #446 see CD #751

Procedures

fmichaelobrien commented 7 months ago

clean cluster

admin_@cloudshell:~/654_fortinet$ gcloud config set project pdt-arg
Updated property [core/project].
admin_@cloudshell:~/654_fortinet (pdt-arg)$ 

admin_@cloudshell:~/654_fortinet (pdt-arg)$ mkdir _kcc_cluster_deploy
admin_@cloudshell:~/654_fortinet (pdt-arg)$ mkdir _lz_deploy
admin_@cloudshell:~/654_fortinet (pdt-arg)$ mkdir _fg_addon
admin_@cloudshell:~/654_fortinet (pdt-arg)$ cd _kcc_cluster_deploy/
admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy (pdt-arg)$ mkdir gh446-hub
admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy (pdt-arg)$ cd gh446-hub/
admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy/gh446-hub (pdt-arg)$ git clone https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git
admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy/gh446-hub (pdt-arg)$ cd pubsec-declarative-toolkit/
admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy/gh446-hub/pubsec-declarative-toolkit (pdt-arg)$ git checkout gh446-hub
Branch 'gh446-hub' set up to track remote branch 'gh446-hub' from 'origin'.
Switched to a new branch 'gh446-hub'
admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy/gh446-hub/pubsec-declarative-toolkit (pdt-arg)$ 

admin_@cloudshell:~/654_fortinet/_fg_addon (pdt-arg)$ mkdir gh654-fortigate-dev-vm
admin_@cloudshell:~/654_fortinet/_fg_addon (pdt-arg)$ cd gh654-fortigate-dev-vm/
admin_@cloudshell:~/654_fortinet/_fg_addon/gh654-fortigate-dev-vm (pdt-arg)$ git clone https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git
admin_@cloudshell:~/654_fortinet/_fg_addon/gh654-fortigate-dev-vm (pdt-arg)$ cd pubsec-declarative-toolkit/
admin_@cloudshell:~/654_fortinet/_fg_addon/gh654-fortigate-dev-vm/pubsec-declarative-toolkit (pdt-arg)$ git checkout gh654-fortigate-dev-vm
Branch 'gh654-fortigate-dev-vm' set up to track remote branch 'gh654-fortigate-dev-vm' from 'origin'.
Switched to a new branch 'gh654-fortigate-dev-vm'

Prep

admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy/gh446-hub/pubsec-declarative-toolkit/solutions (pdt-arg)$

SAs group

Screenshot 2023-11-28 at 12 23 55 PM

Folder

export ROOT_FOLDER_ID=37...7
# this is the HD name on your user/dev/client pc/shell - keep the same - this can be generated
export KPT_FOLDER_NAME=kpt
# match this to the folder just above where you cloned the pdt repo
export REPO_ROOT=gh446-hub

Run GKE Enterprise script

.. storageLocation: northamerica-northeast1 Create VPC: kcc-ls-vpc Created [https://www.googleapis.com/compute/v1/projects/kcc-arg-3707/global/networks/kcc-ls-vpc]. NAME: kcc-ls-vpc SUBNET_MODE: CUSTOM BGP_ROUTING_MODE: REGIONAL IPV4_RANGE: GATEWAY_IPV4:

Instances on this network will not be reachable until firewall rules are created. As an example, you can allow all internal traffic between instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create --network kcc-ls-vpc --allow tcp,udp,icmp --source-ranges $ gcloud compute firewall-rules create --network kcc-ls-vpc --allow tcp:22,tcp:3389,icmp

Create subnet kcc-ls-sn off VPC: kcc-ls-vpc using 192.168.0.0/16 on region: northamerica-northeast1 Created [https://www.googleapis.com/compute/v1/projects/kcc-arg-3707/regions/northamerica-northeast1/subnetworks/kcc-ls-sn]. NAME: kcc-ls-sn REGION: northamerica-northeast1 NETWORK: kcc-ls-vpc RANGE: 192.168.0.0/16 STACK_TYPE: IPV4_ONLY IPV6_ACCESS_TYPE: INTERNAL_IPV6_PREFIX: EXTERNAL_IPV6_PREFIX: create default firewalls Creating Anthos KCC autopilot cluster kcc in region northamerica-northeast1 in subnet kcc-ls-sn off VPC kcc-ls-vpc on project Create request issued for: [kcc] Waiting for operation [projects/kcc-arg-3707/locations/northamerica-northeast1/operations/operation-1701192812315-60b39d145c439-0302ad2e-a9f13bd5] to complete...working 

1234
1247
<img width="1381" alt="Screenshot 2023-11-28 at 12 47 13 PM" src="https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/assets/94715080/0694c9f3-9389-4513-91ce-ca5a69e36993">
<img width="1372" alt="Screenshot 2023-11-28 at 12 48 19 PM" src="https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/assets/94715080/fe02318c-631d-4fd5-ae68-bf33041e0bb1">

Waiting for operation [projects/kcc-arg-3707/locations/northamerica-northeast1/operations/operation-1701192812315-60b39d145c439-0302ad2e-a9f13bd5] to complete...done.
Created instance [kcc]. Fetching cluster endpoint and auth data. kubeconfig entry generated for krmapihost-kcc. Cluster create time: 924 sec Fetching cluster endpoint and auth data. kubeconfig entry generated for krmapihost-kcc. List Clusters: NAME: kcc LOCATION: northamerica-northeast1 STATE: RUNNING post GKE cluster create - applying 2 roles to org: 22...14 and project: on the yakima gke service account to prep for kpt deployment: service-340790590149@gcp-sa-yakima.iam.gserviceaccount.com Updated IAM policy for organization [226082700214]. ERROR: (gcloud.projects.add-iam-policy-binding) Error parsing [project_id]. The [project] resource is not properly specified. Failed to find attribute [project_id]. The attribute can be set in the following ways: 



Cluster up, Yakima SA needs associations
fmichaelobrien commented 7 months ago 
KCC_PROJECT_ID reset on run KCC GKE cluster only without LZ deploy

  SA_EMAIL="$(kubectl get ConfigConnectorContext -n config-control -o jsonpath='{.items[0].spec.googleServiceAccount}' 2> /dev/null)"
  echo "post GKE cluster create - applying 2 roles to org: ${ORG_ID} and project: ${KCC_PROJECT_ID} on the yakima gke service account to prep for kpt deployment: $SA_EMAIL"
  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member="serviceAccount:${SA_EMAIL}" --role=roles/resourcemanager.organizationAdmin --condition=None --quiet  > /dev/null 1>&1
  gcloud projects add-iam-policy-binding "${KCC_PROJECT_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/serviceusage.serviceUsageConsumer" --project "${KCC_PROJECT_ID}" --quiet  > /dev/null 1>&1
  # need service account admin for kubectl describe iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa
  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member="serviceAccount:${SA_EMAIL}" --role=roles/iam.organizationRoleAdmin --condition=None --quiet > /dev/null 1>&1
  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member="serviceAccount:${SA_EMAIL}" --role=roles/iam.serviceAccountAdmin --condition=None --quiet > /dev/null 1>&1
fi

line 88

  # set KCC project id for case where we initially create the KCC cluster without rerunning with passed in -p project_id
  KCC_PROJECT_ID=$CC_PROJECT_ID

PR https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/745

admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy/gh446-hub/pubsec-declarative-toolkit/solutions (kcc-arg-3707)$ KCC_PROJECT_ID=kcc-arg-3707
admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy/gh446-hub/pubsec-declarative-toolkit/solutions (kcc-arg-3707)$ ORG_ID=2..4
admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy/gh446-hub/pubsec-declarative-toolkit/solutions (kcc-arg-3707)$ SA_EMAIL=service-340790590149@gcp-sa-yakima.iam.gserviceaccount.com
admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy/gh446-hub/pubsec-declarative-toolkit/solutions (kcc-arg-3707)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member="serviceAccount:${SA_EMAIL}" --role=roles/resourcemanager.organizationAdmin --condition=None --quiet  > /dev/null 1>&1
Updated IAM policy for organization [22...4].
admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy/gh446-hub/pubsec-declarative-toolkit/solutions (kcc-arg-3707)$ gcloud projects add-iam-policy-binding "${KCC_PROJECT_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/serviceusage.serviceUsageConsumer" --project "${KCC_PROJECT_ID}" --quiet  > /dev/null 1>&1
Updated IAM policy for project [kcc-arg-3707].
admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy/gh446-hub/pubsec-declarative-toolkit/solutions (kcc-arg-3707)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member="serviceAccount:${SA_EMAIL}" --role=roles/iam.organizationRoleAdmin --condition=None --quiet > /dev/null 1>&1
Updated IAM policy for organization [2...14].
admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy/gh446-hub/pubsec-declarative-toolkit/solutions (kcc-arg-3707)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member="serviceAccount:${SA_EMAIL}" --role=roles/iam.serviceAccountAdmin --condition=None --quiet > /dev/null 1>&1
Updated IAM policy for organization [22...14].
a
fmichaelobrien commented 7 months ago

deploy hub-experimentation

  project-billing-id: "0...2"
  # GCP folder to use as parent to this project, lowercase K8S resource name
  project-parent-folder: lz-20231128-654
  # user, group or serviceAccount with editor role at project level
  project-editor: "ad..om"
  # Naming Convention for project-id : <client-code><environment-code>m<data-classification>-<project-owner>-<user defined string>
  # Max 30 characters
  project-id: xxemu-team1-fmoarg

admin_@cloudshell:~/654_fortinet/_kcc_cluster_deploy/gh446-hub/pubsec-declarative-toolkit/solutions (kcc-arg-3707)$ cd ../../../../
admin_@cloudshell:~/654_fortinet (kcc-arg-3707)$ cd _lz_deploy/
admin_@cloudshell:~/654_fortinet/_lz_deploy (kcc-arg-3707)$ cd hub-experimentation/
admin_@cloudshell:~/654_fortinet/_lz_deploy/hub-experimentation (kcc-arg-3707)$ kpt fn render
Package "hub-experimentation": 
[RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2"
[PASS] "gcr.io/kpt-fn/apply-setters:v0.2" in 2.5s
  Results:
    [info] metadata.name: set field value to "xxemu-team1-fmoarg-logging-dnspolicy"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "xxemu-team1-fmoarg"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "compute.cnrm.cloud.google.com/namespaces/networking/ComputeNetwork/xxemu-team1-fmoarg-global-vpc1-vpc"
    [info] spec.networks[0].networkRef.name: set field value to "xxemu-team1-fmoarg-global-vpc1-vpc"
    ...(69 line(s) truncated, use '--truncate-output=false' to disable)

Successfully executed 1 function(s) in 1 package(s).
fmichaelobrien commented 7 months ago

2nd clean deploy kcc-arg-3707 2023

spawn https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/745

  473  cd _fg_addon/
  481  mkdir gh654-fortigate-dev-vm
  482  cd gh654-fortigate-dev-vm/
  483  git clone https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git
  484  cd pubsec-declarative-toolkit/
  485  git checkout gh654-fortigate-dev-vm
  486  cd ../../../
  487  cd _kcc_cluster_deploy/gh446-hub/pubsec-declarative-toolkit/solutions/
  488  ls
  489  ./setup.sh -b pdt-arg -u ar -n true -c true -l false -h false -d false -j false
  490  KCC_PROJECT_ID=kcc-arg-3707

temporary prior to fix https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/745
  491  ORG_ID=22....14
  492  SA_EMAIL=service-34....49@gcp-sa-yakima.iam.gserviceaccount.com
  493  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member="serviceAccount:${SA_EMAIL}" --role=roles/resourcemanager.organizationAdmin --condition=None --quiet  > /dev/null 1>&1
  494  gcloud projects add-iam-policy-binding "${KCC_PROJECT_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/serviceusage.serviceUsageConsumer" --project "${KCC_PROJECT_ID}" --quiet  > /dev/null 1>&1
  495  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member="serviceAccount:${SA_EMAIL}" --role=roles/iam.organizationRoleAdmin --condition=None --quiet > /dev/null 1>&1
  496  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member="serviceAccount:${SA_EMAIL}" --role=roles/iam.serviceAccountAdmin --condition=None --quiet > /dev/null 1>&1
  497  cd ../../../../
  498  cd _lz_deploy/
  499  cd hub-experimentation/
  500  kpt fn render

Note: config-control namespace override

kind: IAMPolicyMember metadata: name: fortigatesdn-sa-fortigatesdnviewer-role-permissions namespace: config-control # kpt-set: ${management-namespace}

via project/hub-env/setters.yaml:22

keep config-control as the default

management-namespace: config-control

obriensystems commented 7 months ago

oi org running main 20231206:0600 to verify no issue with the following https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/core-landing-zone/lz-folder/services-infrastructure/folder-sink.yaml#L23 platform-and-component-services-infra-log-sink from https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml#L105 mgmt-project-cluster-platform-and-component-log-sink

michael@cloudshell:~/kcc-oi$ cd ..
michael@cloudshell:~$ mkdir kcc-oi-20231206
michael@cloudshell:~$ cd kcc-oi-20231206/
michael@cloudshell:~/kcc-oi-20231206$ mkdir github
michael@cloudshell:~/kcc-oi-20231206$ mkdir kpt
michael@cloudshell:~/kcc-oi-20231206$ cd github/
michael@cloudshell:~/kcc-oi-20231206/github$ git clone https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git
Cloning into 'pubsec-declarative-toolkit'...
remote: Enumerating objects: 9668, done.
remote: Counting objects: 100% (3488/3488), done.
remote: Compressing objects: 100% (1134/1134), done.
remote: Total 9668 (delta 2779), reused 2785 (delta 2338), pack-reused 6180
Receiving objects: 100% (9668/9668), 6.40 MiB | 12.24 MiB/s, done.
Resolving deltas: 100% (6225/6225), done.
michael@cloudshell:~/kcc-oi-20231206/github$ cd pubsec-declarative-toolkit/
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit$ ls
CONTRIBUTING.md  docs  examples  LICENSE  README.md  release-please-config.json  services  solutions
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit$ cd ..
michael@cloudshell:~/kcc-oi-20231206/github$ mkdir _pull_20231206_0641
michael@cloudshell:~/kcc-oi-20231206/github$ cd pubsec-declarative-toolkit/
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit$ cd ..
michael@cloudshell:~/kcc-oi-20231206/github$ ls
pubsec-declarative-toolkit  _pull_20231206_0641
michael@cloudshell:~/kcc-oi-20231206/github$ mkdir _446-hub
michael@cloudshell:~/kcc-oi-20231206/github/_446-hub$ git clone https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git     
Cloning into 'pubsec-declarative-toolkit'...
remote: Enumerating objects: 9668, done.
remote: Counting objects: 100% (3563/3563), done.
remote: Compressing objects: 100% (1112/1112), done.
remote: Total 9668 (delta 2852), reused 2881 (delta 2435), pack-reused 6105
Receiving objects: 100% (9668/9668), 6.41 MiB | 26.91 MiB/s, done.
Resolving deltas: 100% (6228/6228), done.
michael@cloudshell:~/kcc-oi-20231206/github/_446-hub$ cd pubsec-declarative-toolkit/
michael@cloudshell:~/kcc-oi-20231206/github/_446-hub/pubsec-declarative-toolkit$ git checkout gh446-hub
Branch 'gh446-hub' set up to track remote branch 'gh446-hub' from 'origin'.
Switched to a new branch 'gh446-hub'
michael@cloudshell:~/kcc-oi-20231206/github/_446-hub/pubsec-declarative-toolkit$ cp solutions/
client-landing-zone/  core-landing-zone/    gke/                  ids/                  project/              vars.sh
client-project-setup/ experimentation/      guardrails/           kcc-namespaces/       setup.sh              vertexai/
client-setup/         gatekeeper-policies/  guardrails-policies/  legacy/               solutions.yaml        
michael@cloudshell:~/kcc-oi-20231206/github/_446-hub/pubsec-declarative-toolkit$ cp solutions/vars.sh ../../
_446-hub/                   pubsec-declarative-toolkit/ _pull_20231206_0641/        
michael@cloudshell:~/kcc-oi-20231206/github/_446-hub/pubsec-declarative-toolkit$ cp solutions/vars.sh ../../pubsec-declarative-toolkit/solutions/
michael@cloudshell:~/kcc-oi-20231206/github/_446-hub/pubsec-declarative-toolkit$ cp solutions/setup.sh ../../pubsec-declarative-toolkit/so
lutions/
michael@cloudshell:~/kcc-oi-20231206/github/_446-hub/pubsec-declarative-toolkit$ cd ..
michael@cloudshell:~/kcc-oi-20231206/github/_446-hub$ cd ..
michael@cloudshell:~/kcc-oi-20231206/github$ 

michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi)$ chmod 777 setup.sh
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi)$ ./setup.sh -b kcc-oi -u ar -n true -c true -l false -h false -d false -j false

generated kcc project_id propagation to the end in yakima/sa role additions retested in #654

0648
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi)$ ./setup.sh -b kcc-oi -u ar -n true -c true -l false -h false -d false -j false
existing project: 
Date: Wed 06 Dec 2023 11:48:39 AM UTC
Timestamp: 1701863319
running with: -b kcc-oi -u ar -c true -l false -h false -r false -d false -p 
Updated property [core/project].
Switched back to boot project kcc-oi
Start: 1701863320
unique string: ar
REGION: northamerica-northeast1
NETWORK: kcc-ls-vpc
SUBNET: kcc-ls-sn
CLUSTER: kcc
Creating project: kcc-oi-6475
CC_PROJECT_ID: kcc-oi-6475
BOOT_PROJECT_ID: kcc-oi
BILLING_ID: 014479-806359-2F5F85
ORG_ID: 459..44
applying roles to the super admin SUPER_ADMIN_EMAIL: michael@obrien.industries
Updated IAM policy for organization [4..44].
Updated IAM policy for organization [4..4].
Updated IAM policy for organization [4..4].
Updated IAM policy for organization [4..4].
Updated IAM policy for organization [4..].
Updated IAM policy for organization [4.4]..
Updated IAM policy for organization [4..144].
Updated IAM policy for organization [459..44].
Creating KCC project: kcc-oi-6475 on folder: 38862..43
Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/kcc-oi-6475].
Waiting for [operations/cp.5638443903817105010] to finish...done.                                                                                           
Enabling service [cloudapis.googleapis.com] on project [kcc-oi-6475]...
Operation "operations/acat.p2-993154031891-29201c86-a034-44cc-a146-92e3e696b676" finished successfully.
Updated property [core/project] to [kcc-oi-6475].
Updated property [core/project].
Enabling billing on account: 014..85
billingAccountName: billingAccounts/014..5
billingEnabled: true
name: projects/kcc-oi-6475/billingInfo
projectId: kcc-oi-6475
sleep 45 sec before enabling services
Enabling APIs
Operation "operations/acf.p2-993154031891-7d0764e3-2cd3-49e7-8fb3-102ebcc9c323" finished successfully.
Operation "operations/acat.p2-993154031891-d64f4422-74fd-48c8-a84b-c664d443bb03" finished successfully.
Operation "operations/acat.p2-993154031891-512f8af5-90e8-42e4-8ec0-5b6ad758cf31" finished successfully.
Operation "operations/acat.p2-993154031891-cf30917a-8316-439f-b3c4-67035ae22681" finished successfully.
Operation "operations/acat.p2-993154031891-de537f80-1838-463a-991e-5dfb9fbcd191" finished successfully.
Operation "operations/acat.p2-993154031891-fc32e1ef-6444-4b10-af5a-73a29e981b21" finished successfully.
name: organizations/459065442144/settings
storageLocation: northamerica-northeast1
Create VPC: kcc-ls-vpc
Created [https://www.googleapis.com/compute/v1/projects/kcc-oi-6475/global/networks/kcc-ls-vpc].
NAME: kcc-ls-vpc
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE: 
GATEWAY_IPV4: 

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network kcc-ls-vpc --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network kcc-ls-vpc --allow tcp:22,tcp:3389,icmp

Create subnet kcc-ls-sn off VPC: kcc-ls-vpc using 192.168.0.0/16 on region: northamerica-northeast1
Created [https://www.googleapis.com/compute/v1/projects/kcc-oi-6475/regions/northamerica-northeast1/subnetworks/kcc-ls-sn].
NAME: kcc-ls-sn
REGION: northamerica-northeast1
NETWORK: kcc-ls-vpc
RANGE: 192.168.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE: 
INTERNAL_IPV6_PREFIX: 
EXTERNAL_IPV6_PREFIX: 
create default firewalls
Creating Anthos KCC autopilot cluster kcc in region northamerica-northeast1 in subnet kcc-ls-sn off VPC kcc-ls-vpc on project kcc-oi-6475
Create request issued for: [kcc]
Waiting for operation [projects/kcc-oi-6475/locations/northamerica-northeast1/operations/operation-1701863484478-60bd5f872d47b-3203efc2-fe59f81d] to complet
e...working        

Waiting for operation [projects/kcc-oi-6475/locations/northamerica-northeast1/operations/operation-1701863484478-60bd5f872d47b-3203efc2-fe59f81d] to complet
e...working.                                                                                                                                                
e...working.                                                                                                                                                
e...working..                                                                                                                                               
e...done.                                                                                                                                                   
Created instance [kcc].
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-kcc.
Cluster create time: 1107 sec
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-kcc.
List Clusters:
NAME: kcc
LOCATION: northamerica-northeast1
STATE: RUNNING
post GKE cluster create - applying 2 roles to org: 459065442144 and project: kcc-oi-6475 on the yakima gke service account to prep for kpt deployment: service-993154031891@gcp-sa-yakima.iam.gserviceaccount.com
Updated IAM policy for organization [459065442144].
Updated IAM policy for project [kcc-oi-6475].
Updated IAM policy for organization [459065442144].
Updated IAM policy for organization [459065442144].
Total Duration: 1282 sec
Date: Wed 06 Dec 2023 12:10:02 PM UTC
Timestamp: 1701864602
Updated property [core/project].
Switched back to boot project kcc-oi
**** Done ****
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi)$    
711
obriensystems commented 7 months ago

deploying core-landing-zone using derived 0.7.0 release tag (not main)

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh#L285

generated setters.yaml

apiVersion: v1
kind: ConfigMap
metadata: # kpt-merge: /setters
  name: setters
  annotations:
    config.kubernetes.io/local-config: "true"
    internal.kpt.dev/upstream-identifier: '|ConfigMap|default|setters'
data:
  org-id: "459..44"
  lz-folder-id: "388627537443"
  billing-id: "014...85"
  management-project-id: "kcc-oi-6475"
  management-project-number: "993154031891"
  management-namespace: config-control
  allowed-trusted-image-projects: |
    - "projects/cos-cloud"
  allowed-contact-domains: |
    - "@obri..es"
  allowed-policy-domain-members: |
    - "C..kc"
  allowed-vpc-peering: |
    - "under:organizations/45...4"
  logging-project-id: logging-project-oi1206
  security-log-bucket: security-log-bucket-oi1206
  platform-and-component-log-bucket: platform-and-component-log-bucket-oi1206
  retention-locking-policy: "false"
  retention-in-days: "1"
  dns-project-id: dns-project-oi1206
  dns-name: "obri..es."
  REL_URL="https://raw.githubusercontent.com/GoogleCloudPlatform/pubsec-declarative-toolkit/main/.release-please-manifest.json"
  # check for existing landing-zone
  echo "deploying ${REL_SUB_PACKAGE}"
  REL_VERSION=$(curl -s $REL_URL | jq -r ".\"$REL_PACKAGE\"")
  echo "get kpt release package $REL_PACKAGE version $REL_VERSION"
  rm -rf $REL_SUB_PACKAGE
  kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/${REL_PACKAGE}@${REL_VERSION}
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi)$ ./setup.sh -b kcc-oi -u ar -n false -c false -l true -h false -d false -j false -p kcc-oi-6475

michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi)$ ./setup.sh -b kcc-oi -u ar -n false -c false -l true -h false -d false -j false -p kcc-oi-6475
existing project: kcc-oi-6475
Date: Wed 06 Dec 2023 12:18:04 PM UTC
Timestamp: 1701865084
running with: -b kcc-oi -u ar -c false -l true -h false -r false -d false -p kcc-oi-6475
Updated property [core/project].
Switched back to boot project kcc-oi
Start: 1701865085
unique string: ar
REGION: northamerica-northeast1
NETWORK: kcc-ls-vpc
SUBNET: kcc-ls-sn
CLUSTER: kcc
Reusing project: kcc-oi-6475
CC_PROJECT_ID: kcc-oi-6475
BOOT_PROJECT_ID: kcc-oi
BILLING_ID: 014479-806359-2F5F85
ORG_ID: 459065442144
Switching to KCC project kcc-oi-6475
Updated property [core/project].
wait 60 sec to let the GKE cluster stabilize 15 workloads
KCC_PROJECT_NUMBER: 993154031891
DIRECTORY_CUSTOMER_ID: C03kdhrkc
generated derived setters-core-landing-zone.yaml
Directory kpt exists - using it
deploying core-landing-zone
get kpt release package solutions/core-landing-zone version 0.7.0
Package "core-landing-zone":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@0.7.0
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
 * tag               solutions/core-landing-zone/0.7.0 -> FETCH_HEAD
Adding package "solutions/core-landing-zone".

Fetched 1 package(s).
copy over generated setters.yaml
removing org/org-policies folder
kpt live init
initializing "resourcegroup.yaml" data (namespace: config-control)...success
kpt fn render
Package "core-landing-zone": 
[RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2"
[PASS] "gcr.io/kpt-fn/apply-setters:v0.2" in 1.5s
  Results:
    [info] spec.folderRef.external: set field value to "388627537443"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi1206"
    [info] spec.projectRef.name: set field value to "logging-project-oi1206"
    [info] spec.locked: set field value to "false"
    [info] spec.retentionDays: set field value to "1"
    [info] metadata.name: set field value to "platform-and-component-log-bucket-oi1206"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi1206"
    [info] spec.projectRef.name: set field value to "logging-project-oi1206"
    [info] spec.locked: set field value to "false"
    [info] spec.retentionDays: set field value to "1"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi1206"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "logging-project-oi1206"
    [info] metadata.name: set field value to "kcc-oi-6475"
    [info] spec.metricsScope: set field value to "location/global/metricsScopes/logging-project-oi1206"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi1206"
    [info] spec.resourceRef.name: set field value to "logging-project-oi1206"
    [info] spec.bindings[0].members[0].memberFrom.logSinkRef.name: set field value to "org-log-sink-security-logging-project-oi1206"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi1206"
    [info] spec.resourceRef.name: set field value to "logging-project-oi1206"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi1206"
    [info] spec.resourceRef.name: set field value to "logging-project-oi1206"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi1206"
    [info] spec.resourceRef.name: set field value to "logging-project-oi1206"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi1206"
    [info] spec.resourceRef.name: set field value to "logging-project-oi1206"
    [info] metadata.name: set field value to "logging-project-oi1206-data-access-sink"
    [info] spec.projectRef.name: set field value to "logging-project-oi1206"
    [info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-oi1206/locations/northamerica-northeast1/buckets/security-log-bucket"
    [info] metadata.name: set field value to "logging-project-oi1206"
    [info] spec.name: set field value to "logging-project-oi1206"
    [info] spec.billingAccountRef.external: set field value to "014479-806359-2F5F85"
    [info] metadata.name: set field value to "logging-project-oi1206-logging"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi1206"
    [info] spec.projectRef.external: set field value to "logging-project-oi1206"
    [info] metadata.name: set field value to "logging-project-oi1206-monitoring"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi1206"
    [info] spec.projectRef.external: set field value to "logging-project-oi1206"
    [info] spec.folderRef.external: set field value to "388627537443"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-log-bucket-oi1206"
    [info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-oi1206/locations/northamerica-northeast1/buckets/platform-and-component-log-bucket-oi1206"
    [info] spec.folderRef.external: set field value to "388627537443"
    [info] metadata.name: set field value to "dns-project-oi1206-standard-core-public-dns"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "dns-project-oi1206"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/dns-project-oi1206"
    [info] spec.dnsName: set field value to "obrien.industries."
    [info] metadata.name: set field value to "dns-project-oi1206"
    [info] spec.name: set field value to "dns-project-oi1206"
    [info] spec.billingAccountRef.external: set field value to "014479-806359-2F5F85"
    [info] metadata.name: set field value to "dns-project-oi1206-dns"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/dns-project-oi1206"
    [info] spec.projectRef.external: set field value to "dns-project-oi1206"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-log-bucket-oi1206"
    [info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-oi1206/locations/northamerica-northeast1/buckets/platform-and-component-log-bucket-oi1206"
    [info] spec.folderRef.external: set field value to "388627537443"
    [info] metadata.name: set field value to "compute-disable-serial-port-logging-except-kcc-oi-6475"
    [info] spec.projectRef.external: set field value to "kcc-oi-6475"
    [info] metadata.name: set field value to "compute-require-shielded-vm-except-kcc-oi-6475"
    [info] spec.projectRef.external: set field value to "kcc-oi-6475"
    [info] metadata.name: set field value to "compute-restrict-cloud-nat-usage-except-kcc-oi-6475"
    [info] spec.listPolicy.allow.values[0]: set field value to "under:projects/kcc-oi-6475"
    [info] spec.projectRef.external: set field value to "kcc-oi-6475"
    [info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-log-bucket-oi1206"
    [info] spec.projectRef.external: set field value to "kcc-oi-6475"
    [info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-oi1206/locations/northamerica-northeast1/buckets/platform-and-component-log-bucket-oi1206"
    [info] metadata.name: set field value to "kcc-oi-6475-cloudbilling"
    [info] metadata.namespace: set field value to "config-control"
    [info] spec.projectRef.external: set field value to "kcc-oi-6475"
    [info] metadata.name: set field value to "kcc-oi-6475-cloudresourcemanager"
    [info] metadata.namespace: set field value to "config-control"
    [info] spec.projectRef.external: set field value to "kcc-oi-6475"
    [info] metadata.name: set field value to "kcc-oi-6475-serviceusage"
    [info] metadata.namespace: set field value to "config-control"
    [info] spec.projectRef.external: set field value to "kcc-oi-6475"
    [info] metadata.name: set field value to "kcc-oi-6475-accesscontextmanager"
    [info] metadata.namespace: set field value to "config-control"
    [info] spec.projectRef.external: set field value to "kcc-oi-6475"
    [info] metadata.name: set field value to "kcc-oi-6475-anthos"
    [info] metadata.namespace: set field value to "config-control"
    [info] spec.projectRef.external: set field value to "kcc-oi-6475"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "kcc-oi-6475"
    [info] spec.member: set field value to "serviceAccount:config-mgmt-mon-default-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-oi-6475.svc.id.goog[config-management-monitoring/default]"
    [info] spec.googleServiceAccount: set field value to "config-mgmt-mon-default-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "kcc-oi-6475"
    [info] spec.member: set field value to "serviceAccount:gatekeeper-admin-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-oi-6475.svc.id.goog[gatekeeper-system/gatekeeper-admin]"
    [info] spec.googleServiceAccount: set field value to "gatekeeper-admin-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "388627537443"
    [info] spec.member: set field value to "serviceAccount:hierarchy-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-oi-6475.svc.id.goog[cnrm-system/cnrm-controller-manager-hierarchy]"
    [info] spec.googleServiceAccount: set field value to "hierarchy-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "459065442144"
    [info] spec.member: set field value to "serviceAccount:logging-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.name: set field value to "logging-sa-monitoring-admin-kcc-oi-6475-permissions"
    [info] metadata.namespace: set field value to "config-control"
    [info] spec.resourceRef.external: set field value to "kcc-oi-6475"
    [info] spec.member: set field value to "serviceAccount:logging-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.name: set field value to "logging-sa-monitoring-admin-logging-project-oi1206-permissions"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "logging-project-oi1206"
    [info] spec.member: set field value to "serviceAccount:logging-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.name: set field value to "logging-sa-storageadmin-logging-project-oi1206-permissions"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "logging-project-oi1206"
    [info] spec.resourceRef.name: set field value to "logging-project-oi1206"
    [info] spec.member: set field value to "serviceAccount:logging-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-oi-6475.svc.id.goog[cnrm-system/cnrm-controller-manager-logging]"
    [info] spec.googleServiceAccount: set field value to "logging-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "459065442144"
    [info] spec.member: set field value to "serviceAccount:service-993154031891@gcp-sa-yakima.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "kcc-oi-6475"
    [info] spec.member: set field value to "serviceAccount:service-993154031891@gcp-sa-yakima.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "kcc-oi-6475"
    [info] spec.member: set field value to "serviceAccount:service-993154031891@gcp-sa-yakima.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "388627537443"
    [info] spec.member: set field value to "serviceAccount:networking-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "388627537443"
    [info] spec.member: set field value to "serviceAccount:networking-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "388627537443"
    [info] spec.member: set field value to "serviceAccount:networking-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "459065442144"
    [info] spec.member: set field value to "serviceAccount:networking-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "459065442144"
    [info] spec.member: set field value to "serviceAccount:networking-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "388627537443"
    [info] spec.member: set field value to "serviceAccount:networking-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-oi-6475.svc.id.goog[cnrm-system/cnrm-controller-manager-networking]"
    [info] spec.googleServiceAccount: set field value to "networking-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "459065442144"
    [info] spec.member: set field value to "serviceAccount:policies-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-oi-6475.svc.id.goog[cnrm-system/cnrm-controller-manager-policies]"
    [info] spec.googleServiceAccount: set field value to "policies-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "388627537443"
    [info] spec.member: set field value to "serviceAccount:projects-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "388627537443"
    [info] spec.member: set field value to "serviceAccount:projects-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "388627537443"
    [info] spec.member: set field value to "serviceAccount:projects-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "388627537443"
    [info] spec.member: set field value to "serviceAccount:projects-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "388627537443"
    [info] spec.member: set field value to "serviceAccount:projects-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.resourceRef.external: set field value to "459065442144"
    [info] spec.member: set field value to "serviceAccount:projects-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-oi-6475"
    [info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-oi-6475.svc.id.goog[cnrm-system/cnrm-controller-manager-projects]"
    [info] spec.googleServiceAccount: set field value to "projects-sa@kcc-oi-6475.iam.gserviceaccount.com"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.namespace: set field value to "config-control"
    [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "459065442144"
    [info] metadata.name: set field value to "org-log-sink-security-logging-project-oi1206"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-oi1206/locations/northamerica-northeast1/buckets/security-log-bucket"
    [info] metadata.name: set field value to "org-log-sink-data-access-logging-project-oi1206"
    [info] spec.organizationRef.external: set field value to "459065442144"
    [info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-oi1206/locations/northamerica-northeast1/buckets/security-log-bucket"

Successfully executed 1 function(s) in 1 package(s).
kpt live apply
installing inventory ResourceGroup CRD.
inventory update started
inventory update finished
apply phase started
namespace/hierarchy apply successful
namespace/logging apply successful
namespace/networking apply successful
namespace/policies apply successful
namespace/projects apply successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com apply successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com apply successful
iamcustomrole.iam.cnrm.cloud.google.com/gke-firewall-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier2-dnsrecord-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier2-vpcpeering-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-dnsrecord-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-firewallrule-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-subnetwork-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-vpcsc-admin apply successful
iamcustomrole.iam.cnrm.cloud.google.com/tier4-secretmanager-admin apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-workload-identity-binding apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-workload-identity-binding apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/hierarchy-sa-workload-identity-binding apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/logging-sa-workload-identity-binding apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/networking-sa-workload-identity-binding apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding apply successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-orgroleadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-metric-writer-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-kcc-oi-6475-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-security-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions apply successful
iamserviceaccount.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa apply successful
iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa apply successful
iamserviceaccount.iam.cnrm.cloud.google.com/hierarchy-sa apply successful
iamserviceaccount.iam.cnrm.cloud.google.com/logging-sa apply successful
iamserviceaccount.iam.cnrm.cloud.google.com/networking-sa apply successful
iamserviceaccount.iam.cnrm.cloud.google.com/policies-sa apply successful
iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa apply successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-accesscontextmanag

service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-anthos apply successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-cloudbilling apply successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-cloudresourcemanager apply successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-serviceusage apply successful
apply phase finished
reconcile phase started
namespace/hierarchy reconcile successful
namespace/logging reconcile successful
namespace/networking reconcile successful
namespace/policies reconcile successful
namespace/projects reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/gke-firewall-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier2-dnsrecord-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier2-vpcpeering-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-dnsrecord-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-firewallrule-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-subnetwork-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-vpcsc-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier4-secretmanager-admin reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-workload-identity-binding reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-workload-identity-binding reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/hierarchy-sa-workload-identity-binding reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/logging-sa-workload-identity-binding reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/networking-sa-workload-identity-binding reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-orgroleadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-metric-writer-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-kcc-oi-6475-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-security-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions reconcile pending
iamserviceaccount.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/hierarchy-sa reconcile pending
iamserviceaccount.iam.cnrm.cloud.google.com/logging-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/networking-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/policies-sa reconcile pending
iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa reconcile pending
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-accesscontextmanager reconcile pending
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-anthos reconcile pending
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-cloudbilling reconcile pending
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-cloudresourcemanager reconcile pending
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-serviceusage reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/networking-sa-workload-identity-binding reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions reconcile failed
iamserviceaccount.iam.cnrm.cloud.google.com/hierarchy-sa reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/logging-sa-workload-identity-binding reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/hierarchy-sa-workload-identity-binding reconcile successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-cloudbilling reconcile successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-accesscontextmanager reconcile successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-cloudresourcemanager reconcile successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-anthos reconcile successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-serviceusage reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions reconcile failed
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions reconcile failed
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions reconcile failed
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions reconcile failed
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-metric-writer-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-kcc-oi-6475-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-security-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions reconcile successful

0719
iamserviceaccount.iam.cnrm.cloud.google.com/policies-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding reconcile successful

0721
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions reconcile successful
reconcile phase finished
apply phase started
rolebinding.rbac.authorization.k8s.io/allow-folders-resource-reference-to-logging apply successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-config-control apply successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-policies apply successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-projects apply successful
rolebinding.rbac.authorization.k8s.io/allow-logging-resource-reference-from-projects apply successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-logging apply successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-networking apply successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-policies apply successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com apply successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com apply successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com apply successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com apply successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com apply successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-logging-project-oi1206-permissions apply successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-storageadmin-logging-project-oi1206-permissions apply successful
monitoringmonitoredproject.monitoring.cnrm.cloud.google.com/kcc-oi-6475 apply successful
folder.resourcemanager.cnrm.cloud.google.com/audits apply successful
folder.resourcemanager.cnrm.cloud.google.com/clients apply successful
folder.resourcemanager.cnrm.cloud.google.com/services apply successful
folder.resourcemanager.cnrm.cloud.google.com/services-infrastructure apply successful
project.resourcemanager.cnrm.cloud.google.com/logging-project-oi1206 apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-logging-except-kcc-oi-6475 apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-kcc-oi-6475 apply successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-cloud-nat-usage-except-kcc-oi-6475 apply successful
apply phase finished
reconcile phase started
rolebinding.rbac.authorization.k8s.io/allow-folders-resource-reference-to-logging reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-config-control reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-policies reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-projects reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-logging-resource-reference-from-projects reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-logging reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-networking reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-policies reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-logging-project-oi1206-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-storageadmin-logging-project-oi1206-permissions reconcile pending
monitoringmonitoredproject.monitoring.cnrm.cloud.google.com/kcc-oi-6475 reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/audits reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/clients reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/services reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/services-infrastructure reconcile pending
project.resourcemanager.cnrm.cloud.google.com/logging-project-oi1206 reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-logging-except-kcc-oi-6475 reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-kcc-oi-6475 reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-cloud-nat-usage-except-kcc-oi-6475 reconcile pending
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-kcc-oi-6475 reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-logging-except-kcc-oi-6475 reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-cloud-nat-usage-except-kcc-oi-6475 reconcile successful
monitoringmonitoredproject.monitoring.cnrm.cloud.google.com/kcc-oi-6475 reconcile failed
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-logging-project-oi1206-permissions reconcile failed
folder.resourcemanager.cnrm.cloud.google.com/audits reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/clients reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/services reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/services-infrastructure reconcile successful
Screenshot 2023-12-06 at 07 22 43 Screenshot 2023-12-06 at 07 22 05 
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-logging-project-oi1206-permissions reconcile successful
project.resourcemanager.cnrm.cloud.google.com/logging-project-oi1206 reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-storageadmin-logging-project-oi1206-permissions reconcile successful
reconcile phase finished
apply phase started
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-infra-log-bucket-writer-permissions apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-log-bucket-writer-permissions apply successful
iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions apply successful
logginglogbucket.logging.cnrm.cloud.google.com/platform-and-component-log-bucket-oi1206 apply successful
logginglogbucket.logging.cnrm.cloud.google.com/security-log-bucket apply successful
project.resourcemanager.cnrm.cloud.google.com/dns-project-oi1206 apply successful
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-logging apply successful
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-monitoring apply successful
storagebucket.storage.cnrm.cloud.google.com/security-incident-log-bucket apply successful
apply phase finished
reconcile phase started
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-infra-log-bucket-writer-permissions reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-log-bucket-writer-permissions reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions reconcile pending
logginglogbucket.logging.cnrm.cloud.google.com/platform-and-component-log-bucket-oi1206 reconcile pending
logginglogbucket.logging.cnrm.cloud.google.com/security-log-bucket reconcile pending
project.resourcemanager.cnrm.cloud.google.com/dns-project-oi1206 reconcile pending
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-logging reconcile pending
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-monitoring reconcile pending
storagebucket.storage.cnrm.cloud.google.com/security-incident-log-bucket reconcile pending
storagebucket.storage.cnrm.cloud.google.com/security-incident-log-bucket reconcile successful
logginglogbucket.logging.cnrm.cloud.google.com/security-log-bucket reconcile successful
logginglogbucket.logging.cnrm.cloud.google.com/platform-and-component-log-bucket-oi1206 reconcile successful
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config reconcile successful
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-monitoring reconcile successful
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-logging reconcile successful
0727
project.resourcemanager.cnrm.cloud.google.com/dns-project-oi1206 reconcile successful
Screenshot 2023-12-06 at 07 31 22 Screenshot 2023-12-06 at 07 32 06 Screenshot 2023-12-06 at 07 33 51 Screenshot 2023-12-06 at 07 33 34

750 ctrl-c - reduce reconcile timeout

michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-6475)$ kubectl get gcp -n projects
NAME                                                                              AGE   READY   STATUS     STATUS AGE
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config   29m   True    UpToDate   29m

NAME                                                                                                                   AGE   READY   STATUS               STATUS AGE
iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions   29m   False   DependencyNotFound   29m
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-infra-log-bucket-writer-permissions         29m   False   DependencyNotFound   29m
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-log-bucket-writer-permissions               29m   False   DependencyNotFound   29m
iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions                                      29m   False   DependencyNotFound   29m

NAME                                                                                                       AGE   READY   STATUS     STATUS AGE
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-logging-project-oi1206-permissions   32m   True    UpToDate   30m
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-storageadmin-logging-project-oi1206-permissions       32m   True    UpToDate   29m

NAME                                                                   AGE   READY   STATUS     STATUS AGE
project.resourcemanager.cnrm.cloud.google.com/dns-project-oi1206       29m   True    UpToDate   28m
project.resourcemanager.cnrm.cloud.google.com/logging-project-oi1206   32m   True    UpToDate   29m

NAME                                                                           AGE   READY   STATUS     STATUS AGE
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-logging      29m   True    UpToDate   29m
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-monitoring   29m   True    UpToDate   29m
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-6475)$ kubectl get gcp -n networking
No resources found in networking namespace.
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-6475)$   kubectl get gcp -n hierarchy
NAME                                                                   AGE   READY   STATUS     STATUS AGE
folder.resourcemanager.cnrm.cloud.google.com/audits                    33m   True    UpToDate   31m
folder.resourcemanager.cnrm.cloud.google.com/clients                   33m   True    UpToDate   31m
folder.resourcemanager.cnrm.cloud.google.com/services                  33m   True    UpToDate   31m
folder.resourcemanager.cnrm.cloud.google.com/services-infrastructure   32m   True    UpToDate   31m
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-6475)$  kubectl get gcp -n policies
NAME                                                                                                                 AGE   READY   STATUS     STATUS AGE
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-logging-except-kcc-oi-6475   33m   True    UpToDate   32m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-kcc-oi-6475           33m   True    UpToDate   32m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-cloud-nat-usage-except-kcc-oi-6475      33m   True    UpToDate   32m
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-6475)$ kubectl get gcp -n logging
NAME                                                                                      AGE   READY   STATUS     STATUS AGE
logginglogbucket.logging.cnrm.cloud.google.com/platform-and-component-log-bucket-oi1206   31m   True    UpToDate   31m
logginglogbucket.logging.cnrm.cloud.google.com/security-log-bucket                        31m   True    UpToDate   31m

NAME                                                                      AGE   READY   STATUS     STATUS AGE
monitoringmonitoredproject.monitoring.cnrm.cloud.google.com/kcc-oi-6475   33m   True    UpToDate   30m

NAME                                                                       AGE   READY   STATUS     STATUS AGE
storagebucket.storage.cnrm.cloud.google.com/security-incident-log-bucket   31m   True    UpToDate   31m
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-6475)$ kubectl get gcp -n config-control
NAME                                                                AGE   READY   STATUS     STATUS AGE
iamcustomrole.iam.cnrm.cloud.google.com/gke-firewall-admin          35m   True    UpToDate   35m
iamcustomrole.iam.cnrm.cloud.google.com/tier2-dnsrecord-admin       35m   True    UpToDate   35m
iamcustomrole.iam.cnrm.cloud.google.com/tier2-vpcpeering-admin      35m   True    UpToDate   35m
iamcustomrole.iam.cnrm.cloud.google.com/tier3-dnsrecord-admin       35m   True    UpToDate   35m
iamcustomrole.iam.cnrm.cloud.google.com/tier3-firewallrule-admin    35m   True    UpToDate   35m
iamcustomrole.iam.cnrm.cloud.google.com/tier3-subnetwork-admin      35m   True    UpToDate   35m
iamcustomrole.iam.cnrm.cloud.google.com/tier3-vpcsc-admin           35m   True    UpToDate   35m
iamcustomrole.iam.cnrm.cloud.google.com/tier4-secretmanager-admin   35m   True    UpToDate   35m

NAME                                                                                              AGE   READY   STATUS     STATUS AGE
iampartialpolicy.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-workload-identity-binding   35m   True    UpToDate   35m
iampartialpolicy.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-workload-identity-binding          35m   True    UpToDate   35m
iampartialpolicy.iam.cnrm.cloud.google.com/hierarchy-sa-workload-identity-binding                 35m   True    UpToDate   35m
iampartialpolicy.iam.cnrm.cloud.google.com/logging-sa-workload-identity-binding                   35m   True    UpToDate   35m
iampartialpolicy.iam.cnrm.cloud.google.com/networking-sa-workload-identity-binding                35m   True    UpToDate   35m
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding                  35m   True    UpToDate   34m
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding                  35m   True    UpToDate   34m

NAME                                                                                                             AGE   READY   STATUS     STATUS AGE
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions                35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions   35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-orgroleadmin-permissions                             35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-metric-writer-permissions                   35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions                          35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions                                   35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions                                        35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-kcc-oi-6475-permissions                    35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions                                          35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions                                 35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-security-permissions                                     35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions                          35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions                       35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions                                     35m   True    UpToDate   35m
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions                                 35m   True    UpToDate   34m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions                                    35m   True    UpToDate   34m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions                                 35m   True    UpToDate   34m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions                                 35m   True    UpToDate   33m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions                                35m   True    UpToDate   33m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions                                   35m   True    UpToDate   33m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions                              35m   True    UpToDate   33m

NAME                                                                     AGE   READY   STATUS     STATUS AGE
iamserviceaccount.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa   35m   True    UpToDate   35m
iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa          35m   True    UpToDate   35m
iamserviceaccount.iam.cnrm.cloud.google.com/hierarchy-sa                 35m   True    UpToDate   35m
iamserviceaccount.iam.cnrm.cloud.google.com/logging-sa                   35m   True    UpToDate   35m
iamserviceaccount.iam.cnrm.cloud.google.com/networking-sa                35m   True    UpToDate   35m
iamserviceaccount.iam.cnrm.cloud.google.com/policies-sa                  35m   True    UpToDate   34m
iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa                  35m   True    UpToDate   34m

NAME                                                                          AGE   READY   STATUS     STATUS AGE
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-accesscontextmanager   35m   True    UpToDate   35m
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-anthos                 35m   True    UpToDate   35m
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-cloudbilling           35m   True    UpToDate   35m
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-cloudresourcemanager   35m   True    UpToDate   35m
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-serviceusage           35m   True    UpToDate   35m

Issues with

iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions   29m   False   DependencyNotFound   29m
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-infra-log-bucket-writer-permissions         29m   False   DependencyNotFound   29m
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-log-bucket-writer-permissions               29m   False   DependencyNotFound   29m
iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions                                      29m   False   DependencyNotFound   29m

kubens config-control
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-6475)$ kubectl get gcp | grep UpdateFailed
(not representative)

michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-6475)$ kubectl describe iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions -n projects
Name:         security-log-bucket-writer-permissions
Namespace:    projects
Labels:       <none>
Annotations:  cnrm.cloud.google.com/blueprint: kpt-pkg-fn-live
              config.k8s.io/owning-inventory: ace11e1affe3760bdf91752781e6fec950f9ba61-1701865095377759288
              config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi1206
              internal.kpt.dev/upstream-identifier: iam.cnrm.cloud.google.com|IAMPartialPolicy|projects|security-log-bucket-writer-permissions
API Version:  iam.cnrm.cloud.google.com/v1beta1
Kind:         IAMPartialPolicy
Metadata:
  Creation Timestamp:  2023-12-06T12:22:34Z
  Generation:          1
  Resource Version:    25635
  UID:                 234ca697-ddd8-43a1-a3ed-e74f5a51d002
Spec:
  Bindings:
    Members:
      Member From:
        Log Sink Ref:
          Name:       org-log-sink-security-logging-project-oi1206
          Namespace:  logging
    Role:             roles/logging.bucketWriter
  Resource Ref:
    API Version:  resourcemanager.cnrm.cloud.google.com/v1beta1
    Kind:         Project
    Name:         logging-project-oi1206
    Namespace:    projects
Status:
  Conditions:
    Last Transition Time:  2023-12-06T12:22:35Z
    Message:               reference LoggingLogSink logging/org-log-sink-security-logging-project-oi1206 is not found
    Reason:                DependencyNotFound
    Status:                False
    Type:                  Ready
  Observed Generation:     1
Events:
  Type     Reason              Age                  From                         Message
  ----     ------              ----                 ----                         -------
  Warning  DependencyNotFound  5m12s (x4 over 33m)  iampartialpolicy-controller  reference LoggingLogSink logging/org-log-sink-security-logging-project-oi1206 is not found
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-6475)$ 

michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-6475)$ kubectl describe iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions -n projects
Name:         mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions
Namespace:    projects
Labels:       <none>
Annotations:  cnrm.cloud.google.com/blueprint: kpt-pkg-fn-live
              config.k8s.io/owning-inventory: ace11e1affe3760bdf91752781e6fec950f9ba61-1701865095377759288
              config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi1206
              internal.kpt.dev/upstream-identifier:
                iam.cnrm.cloud.google.com|IAMPartialPolicy|projects|mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions
API Version:  iam.cnrm.cloud.google.com/v1beta1
Kind:         IAMPartialPolicy
Metadata:
  Creation Timestamp:  2023-12-06T12:22:33Z
  Generation:          1
  Resource Version:    25600
  UID:                 bafe8b5a-8d98-466c-b76a-5e5f53ab509b
Spec:
  Bindings:
    Members:
      Member From:
        Log Sink Ref:
          Name:       mgmt-project-cluster-platform-and-component-log-sink
          Namespace:  logging
    Role:             roles/logging.bucketWriter
  Resource Ref:
    API Version:  resourcemanager.cnrm.cloud.google.com/v1beta1
    Kind:         Project
    Name:         logging-project-oi1206
    Namespace:    projects
Status:
  Conditions:
    Last Transition Time:  2023-12-06T12:22:34Z
    Message:               reference LoggingLogSink logging/mgmt-project-cluster-platform-and-component-log-sink is not found
    Reason:                DependencyNotFound
    Status:                False
    Type:                  Ready
  Observed Generation:     1
Events:
  Type     Reason              Age                 From                         Message
  ----     ------              ----                ----                         -------
  Warning  DependencyNotFound  103s (x5 over 37m)  iampartialpolicy-controller  reference LoggingLogSink logging/mgmt-project-cluster-platform-and-component-log-sink is not found

Triage up the chain

Warning  DependencyNotFound  5m12s (x4 over 33m)  iampartialpolicy-controller  reference LoggingLogSink logging/org-log-sink-security-logging-project-oi1206 is not found

  Warning  DependencyNotFound  103s (x5 over 37m)  iampartialpolicy-controller  reference LoggingLogSink logging/mgmt-project-cluster-platform-and-component-log-sink is not found

running main 20231206:0600 to verify no issue with the following https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/core-landing-zone/lz-folder/services-infrastructure/folder-sink.yaml#L23 platform-and-component-services-infra-log-sink from https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml#L105 mgmt-project-cluster-platform-and-component-log-sink

obriensystems commented 6 months ago

temporarily removing the core-landing-zone and cluster for cost reduction (no hub deployed on this org) https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/DevOps#delete-via-kpt---recommended

michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-6475)$ kpt live destroy core-landing-zone

delete phase started
storagebucket.storage.cnrm.cloud.google.com/security-incident-log-bucket delete successful
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-monitoring delete successful
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-logging delete successful
project.resourcemanager.cnrm.cloud.google.com/dns-project-oi1206 delete successful
logginglogbucket.logging.cnrm.cloud.google.com/security-log-bucket delete successful
logginglogbucket.logging.cnrm.cloud.google.com/platform-and-component-log-bucket-oi1206 delete successful
iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions delete successful
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-log-bucket-writer-permissions delete successful
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-infra-log-bucket-writer-permissions delete successful
iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions delete successful
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config delete successful
delete phase finished
reconcile phase started
storagebucket.storage.cnrm.cloud.google.com/security-incident-log-bucket reconcile pending
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-monitoring reconcile pending
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-logging reconcile pending
project.resourcemanager.cnrm.cloud.google.com/dns-project-oi1206 reconcile pending
logginglogbucket.logging.cnrm.cloud.google.com/security-log-bucket reconcile pending
logginglogbucket.logging.cnrm.cloud.google.com/platform-and-component-log-bucket-oi1206 reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-log-bucket-writer-permissions reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-infra-log-bucket-writer-permissions reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions reconcile successful
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config reconcile pending
storagebucket.storage.cnrm.cloud.google.com/security-incident-log-bucket reconcile successful
logginglogbucket.logging.cnrm.cloud.google.com/security-log-bucket reconcile successful
logginglogbucket.logging.cnrm.cloud.google.com/platform-and-component-log-bucket-oi1206 reconcile successful
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-monitoring reconcile successful
service.serviceusage.cnrm.cloud.google.com/logging-project-oi1206-logging reconcile successful
project.resourcemanager.cnrm.cloud.google.com/dns-project-oi1206 reconcile successful
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config reconcile successful
reconcile phase finished
delete phase started
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-cloud-nat-usage-except-kcc-oi-6475 delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-kcc-oi-6475 delete successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-logging-except-kcc-oi-6475 delete successful
project.resourcemanager.cnrm.cloud.google.com/logging-project-oi1206 delete successful
folder.resourcemanager.cnrm.cloud.google.com/services-infrastructure delete successful
folder.resourcemanager.cnrm.cloud.google.com/services delete successful
folder.resourcemanager.cnrm.cloud.google.com/clients delete successful
folder.resourcemanager.cnrm.cloud.google.com/audits delete successful
monitoringmonitoredproject.monitoring.cnrm.cloud.google.com/kcc-oi-6475 delete successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-storageadmin-logging-project-oi1206-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-logging-project-oi1206-permissions delete successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com delete successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com delete successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com delete successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com delete successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com delete successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-policies delete successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-networking delete successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-logging delete successful
rolebinding.rbac.authorization.k8s.io/allow-logging-resource-reference-from-projects delete successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-projects delete successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-policies delete successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-config-control delete successful
rolebinding.rbac.authorization.k8s.io/allow-folders-resource-reference-to-logging delete successful
delete phase finished
reconcile phase started
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-cloud-nat-usage-except-kcc-oi-6475 reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-kcc-oi-6475 reconcile successful
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-logging-except-kcc-oi-6475 reconcile successful
project.resourcemanager.cnrm.cloud.google.com/logging-project-oi1206 reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/services-infrastructure reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/services reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/clients reconcile pending
folder.resourcemanager.cnrm.cloud.google.com/audits reconcile pending
monitoringmonitoredproject.monitoring.cnrm.cloud.google.com/kcc-oi-6475 reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-storageadmin-logging-project-oi1206-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-logging-project-oi1206-permissions reconcile pending
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile pending
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile pending
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile pending
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile pending
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile pending
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-policies reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-networking reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-projects-resource-reference-from-logging reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-logging-resource-reference-from-projects reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-projects reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-policies reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-hierarchy-resource-reference-from-config-control reconcile successful
rolebinding.rbac.authorization.k8s.io/allow-folders-resource-reference-to-logging reconcile pending
rolebinding.rbac.authorization.k8s.io/allow-folders-resource-reference-to-logging reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/services-infrastructure reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/services reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/clients reconcile successful
monitoringmonitoredproject.monitoring.cnrm.cloud.google.com/kcc-oi-6475 reconcile successful
folder.resourcemanager.cnrm.cloud.google.com/audits reconcile successful
project.resourcemanager.cnrm.cloud.google.com/logging-project-oi1206 reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-logging-project-oi1206-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-storageadmin-logging-project-oi1206-permissions reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
reconcile phase finished
delete phase started
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-serviceusage delete successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-cloudresourcemanager delete successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-cloudbilling delete successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-anthos delete successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-accesscontextmanager delete successful
iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa delete successful
iamserviceaccount.iam.cnrm.cloud.google.com/policies-sa delete successful
iamserviceaccount.iam.cnrm.cloud.google.com/networking-sa delete successful
iamserviceaccount.iam.cnrm.cloud.google.com/logging-sa delete successful
iamserviceaccount.iam.cnrm.cloud.google.com/hierarchy-sa delete successful
iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa delete successful
iamserviceaccount.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa delete successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-security-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-kcc-oi-6475-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-metric-writer-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-orgroleadmin-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions delete successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions delete successful
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding delete successful
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding delete successful
iampartialpolicy.iam.cnrm.cloud.google.com/networking-sa-workload-identity-binding delete successful
iampartialpolicy.iam.cnrm.cloud.google.com/logging-sa-workload-identity-binding delete successful
iampartialpolicy.iam.cnrm.cloud.google.com/hierarchy-sa-workload-identity-binding delete successful
iampartialpolicy.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-workload-identity-binding delete successful
iampartialpolicy.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-workload-identity-binding delete successful
iamcustomrole.iam.cnrm.cloud.google.com/tier4-secretmanager-admin delete successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-vpcsc-admin delete successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-subnetwork-admin delete successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-firewallrule-admin delete successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-dnsrecord-admin delete successful
iamcustomrole.iam.cnrm.cloud.google.com/tier2-vpcpeering-admin delete successful
iamcustomrole.iam.cnrm.cloud.google.com/tier2-dnsrecord-admin delete successful
iamcustomrole.iam.cnrm.cloud.google.com/gke-firewall-admin delete successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com delete successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com delete successful
namespace/projects delete successful
namespace/policies delete successful
namespace/networking delete successful
namespace/logging delete successful
namespace/hierarchy delete successful
delete phase finished
reconcile phase started
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-serviceusage reconcile successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-cloudresourcemanager reconcile successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-cloudbilling reconcile successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-anthos reconcile successful
service.serviceusage.cnrm.cloud.google.com/kcc-oi-6475-accesscontextmanager reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/policies-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/networking-sa reconcile pending
iamserviceaccount.iam.cnrm.cloud.google.com/logging-sa reconcile pending
iamserviceaccount.iam.cnrm.cloud.google.com/hierarchy-sa reconcile pending
iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa reconcile pending
iamserviceaccount.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-security-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-kcc-oi-6475-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-metric-writer-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-orgroleadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions reconcile pending
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/networking-sa-workload-identity-binding reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/logging-sa-workload-identity-binding reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/hierarchy-sa-workload-identity-binding reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-workload-identity-binding reconcile pending
iampartialpolicy.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-workload-identity-binding reconcile pending
iamcustomrole.iam.cnrm.cloud.google.com/tier4-secretmanager-admin reconcile pending
iamcustomrole.iam.cnrm.cloud.google.com/tier3-vpcsc-admin reconcile pending
iamcustomrole.iam.cnrm.cloud.google.com/tier3-subnetwork-admin reconcile pending
iamcustomrole.iam.cnrm.cloud.google.com/tier3-firewallrule-admin reconcile pending
iamcustomrole.iam.cnrm.cloud.google.com/tier3-dnsrecord-admin reconcile pending
iamcustomrole.iam.cnrm.cloud.google.com/tier2-vpcpeering-admin reconcile pending
iamcustomrole.iam.cnrm.cloud.google.com/tier2-dnsrecord-admin reconcile pending
iamcustomrole.iam.cnrm.cloud.google.com/gke-firewall-admin reconcile pending
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile pending
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile pending
namespace/projects reconcile pending
namespace/policies reconcile pending
namespace/networking reconcile pending
namespace/logging reconcile pending
namespace/hierarchy reconcile pending
iamserviceaccount.iam.cnrm.cloud.google.com/hierarchy-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/networking-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/logging-sa reconcile successful
iamserviceaccount.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-kcc-oi-6475-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-security-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/logging-sa-workload-identity-binding reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-workload-identity-binding reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/networking-sa-workload-identity-binding reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/hierarchy-sa-workload-identity-binding reconcile successful
iampartialpolicy.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-workload-identity-binding reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier4-secretmanager-admin reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-metric-writer-permissions reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier2-vpcpeering-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier2-dnsrecord-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/gke-firewall-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-vpcsc-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-firewallrule-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-dnsrecord-admin reconcile successful
iamcustomrole.iam.cnrm.cloud.google.com/tier3-subnetwork-admin reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
configconnectorcontext.core.cnrm.cloud.google.com/configconnectorcontext.core.cnrm.cloud.google.com reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-orgroleadmin-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions reconcile successful
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions reconcile successful
namespace/hierarchy reconcile successful
namespace/policies reconcile successful
namespace/networking reconcile successful
namespace/projects reconcile successful
namespace/logging reconcile successful
reconcile phase finished
inventory update started
inventory update finished
delete result: 90 attempted, 90 successful, 0 skipped, 0 failed
reconcile result: 90 attempted, 90 successful, 0 skipped, 0 failed, 0 timed out

delete cluster

michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi)$ ./setup.sh -b kcc-oi -u ar -n false -c false -l false -h false -d true -j true -p kcc-oi-6475