Doc/Script update for shared billing wait state between kpt apply for projects-sa and gcloud iam associate of projects-sa with kcc project for Billing Account User role - or downstream services on logging/dns projects will fail to render

[fmichaelobrien]

see #752

Summary:

for shared billing accounts the projects-sa KCC focused SA must be associated as a BAU for direct accounts we are ok

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/docs/landing-zone-v2#5-perform-the-post-deployment-steps

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh#L332

without this the projects don't get created for shared billing users - and the log syncs as expected won't render until the project is up direct billing associates the SA with the BAU ok

actually their issue is clearer now - will add to the docs - need to wait for projects-sa to complete

process.... kpt apply wait 15 min or until projects-sa is up via krm - via wait(15 min) in the script passed them

count=$(kubectl get gcp -n projects | grep UpdateFailed | wc -l) wait until = 0 then proceed

associate projects-sa with kcc project for BAU (or they received an error that projects-sa does not yet exit)

kpt re- apply

[obriensystems]

uncomment out line 458 - leave it on for both shared and direct billing for the projects-sa service account https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh#L458

  kubectl describe iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa
  # uncomment below (not required for direct biling)
  gcloud beta billing accounts add-iam-policy-binding "${BILLING_ID}" --member "serviceAccount:projects-sa@${KCC_PROJECT_ID}.iam.gserviceaccount.com" --role "roles/billing.user"

Add dry run capability - print results at least - won't catch issues like runtime GCP quota problems for example https://kpt.dev/reference/cli/live/apply/

--dry-run