Open fmichaelobrien opened 7 months ago
uncomment out line 458 - leave it on for both shared and direct billing for the projects-sa service account https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh#L458
kubectl describe iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa
# uncomment below (not required for direct biling)
gcloud beta billing accounts add-iam-policy-binding "${BILLING_ID}" --member "serviceAccount:projects-sa@${KCC_PROJECT_ID}.iam.gserviceaccount.com" --role "roles/billing.user"
Add dry run capability - print results at least - won't catch issues like runtime GCP quota problems for example https://kpt.dev/reference/cli/live/apply/
--dry-run
see #752
Summary:
for shared billing accounts the projects-sa KCC focused SA must be associated as a BAU for direct accounts we are ok
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/docs/landing-zone-v2#5-perform-the-post-deployment-steps
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh#L332
without this the projects don't get created for shared billing users - and the log syncs as expected won't render until the project is up direct billing associates the SA with the BAU ok
actually their issue is clearer now - will add to the docs - need to wait for projects-sa to complete
process.... kpt apply wait 15 min or until projects-sa is up via krm - via wait(15 min) in the script passed them
count=$(kubectl get gcp -n projects | grep UpdateFailed | wc -l) wait until = 0 then proceed
associate projects-sa with kcc project for BAU (or they received an error that projects-sa does not yet exit)
kpt re- apply