The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
31
stars
28
forks
source link
kpt live apply needs to be 10-15 min not 2 for the reconcile timeout loop - updating readme and script #802
kpt live apply $REL_SUB_PACKAGE --reconcile-timeout=15m --output=table
see remaining logging-sa missing Storage Admin in #801
see testing of core-landing-zone in #766
increment prefix in vars.sh - for projects and buckets
export PREFIX=cso2
setup.sh code
echo "kpt live init"
kpt live init $REL_SUB_PACKAGE --namespace config-control
# --force
echo "kpt fn render"
kpt fn render $REL_SUB_PACKAGE --truncate-output=false
echo "kpt live apply after 60s wait"
sleep 60
kpt live apply $REL_SUB_PACKAGE --reconcile-timeout=15m --output=table
echo "check status"
kpt live status --inv-type remote --statuses InProgress,NotFound
rerun
michael@cloudshell:~/kcc-cso/github/pubsec-declarative-toolkit/solutions (kcc-cso)$ ./setup.sh -b kcc-cso -u cso2 -n false -c false -l true -h false -r false -d false -j false -p kcc-cso-4380
wait 60 sec to let the GKE cluster stabilize 15 workloads
KCC_PROJECT_NUMBER: 343139601407
DIRECTORY_CUSTOMER_ID: C02w06bdi
generated derived setters-core-landing-zone.yaml
Directory kpt exists - using it
deploying core-landing-zone
get kpt release package solutions/core-landing-zone version 0.7.1
Package "core-landing-zone":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@0.7.1
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
* tag solutions/core-landing-zone/0.7.1 -> FETCH_HEAD
Adding package "solutions/core-landing-zone".
Fetched 1 package(s).
copy over generated setters.yaml
kpt live init
initializing "resourcegroup.yaml" data (namespace: config-control)...success
kpt fn render
Package "core-landing-zone":
[RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2"
[PASS] "gcr.io/kpt-fn/apply-setters:v0.2" in 600ms
Results:
[info] spec.folderRef.external: set field value to "276061734969"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-cso2"
[info] spec.projectRef.name: set field value to "logging-project-cso2"
[info] spec.locked: set field value to "false"
[info] spec.retentionDays: set field value to "1"
[info] metadata.name: set field value to "platform-and-component-log-bucket-cso2"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-cso2"
[info] spec.projectRef.name: set field value to "logging-project-cso2"
[info] spec.locked: set field value to "false"
[info] spec.retentionDays: set field value to "1"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-cso2"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "logging-project-cso2"
[info] metadata.name: set field value to "kcc-cso-4380"
[info] spec.metricsScope: set field value to "location/global/metricsScopes/logging-project-cso2"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-cso2"
[info] spec.resourceRef.name: set field value to "logging-project-cso2"
[info] spec.bindings[0].members[0].memberFrom.logSinkRef.name: set field value to "org-log-sink-security-logging-project-cso2"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-cso2"
[info] spec.resourceRef.name: set field value to "logging-project-cso2"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-cso2"
[info] spec.resourceRef.name: set field value to "logging-project-cso2"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-cso2"
[info] spec.resourceRef.name: set field value to "logging-project-cso2"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-cso2"
[info] spec.resourceRef.name: set field value to "logging-project-cso2"
[info] metadata.name: set field value to "logging-project-cso2-data-access-sink"
[info] spec.projectRef.name: set field value to "logging-project-cso2"
[info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-cso2/locations/northamerica-northeast1/buckets/security-log-bucket"
[info] metadata.name: set field value to "logging-project-cso2"
[info] spec.name: set field value to "logging-project-cso2"
[info] spec.billingAccountRef.external: set field value to "01B35D-D56E1A-BAE17A"
[info] metadata.name: set field value to "logging-project-cso2-logging"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-cso2"
[info] spec.projectRef.external: set field value to "logging-project-cso2"
[info] metadata.name: set field value to "logging-project-cso2-monitoring"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-cso2"
[info] spec.projectRef.external: set field value to "logging-project-cso2"
[info] spec.folderRef.external: set field value to "276061734969"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-log-bucket-cso2"
[info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-cso2/locations/northamerica-northeast1/buckets/platform-and-component-log-bucket-cso2"
[info] spec.folderRef.external: set field value to "276061734969"
[info] metadata.name: set field value to "dns-project-cso2-standard-core-public-dns"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "dns-project-cso2"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/dns-project-cso2"
[info] spec.dnsName: set field value to "cloud-setup.org."
[info] metadata.name: set field value to "dns-project-cso2"
[info] spec.name: set field value to "dns-project-cso2"
[info] spec.billingAccountRef.external: set field value to "01B35D-D56E1A-BAE17A"
[info] metadata.name: set field value to "dns-project-cso2-dns"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/dns-project-cso2"
[info] spec.projectRef.external: set field value to "dns-project-cso2"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-log-bucket-cso2"
[info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-cso2/locations/northamerica-northeast1/buckets/platform-and-component-log-bucket-cso2"
[info] spec.folderRef.external: set field value to "276061734969"
[info] metadata.name: set field value to "compute-disable-serial-port-logging-except-kcc-cso-4380"
[info] spec.projectRef.external: set field value to "kcc-cso-4380"
[info] metadata.name: set field value to "compute-require-shielded-vm-except-kcc-cso-4380"
[info] spec.projectRef.external: set field value to "kcc-cso-4380"
[info] metadata.name: set field value to "compute-restrict-cloud-nat-usage-except-kcc-cso-4380"
[info] spec.listPolicy.allow.values[0]: set field value to "under:projects/kcc-cso-4380"
[info] spec.projectRef.external: set field value to "kcc-cso-4380"
[info] metadata.annotations.config.kubernetes.io/depends-on: set field value to "logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-log-bucket-cso2"
[info] spec.projectRef.external: set field value to "kcc-cso-4380"
[info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-cso2/locations/northamerica-northeast1/buckets/platform-and-component-log-bucket-cso2"
[info] metadata.name: set field value to "kcc-cso-4380-cloudbilling"
[info] metadata.namespace: set field value to "config-control"
[info] spec.projectRef.external: set field value to "kcc-cso-4380"
[info] metadata.name: set field value to "kcc-cso-4380-cloudresourcemanager"
[info] metadata.namespace: set field value to "config-control"
[info] spec.projectRef.external: set field value to "kcc-cso-4380"
[info] metadata.name: set field value to "kcc-cso-4380-serviceusage"
[info] metadata.namespace: set field value to "config-control"
[info] spec.projectRef.external: set field value to "kcc-cso-4380"
[info] metadata.name: set field value to "kcc-cso-4380-accesscontextmanager"
[info] metadata.namespace: set field value to "config-control"
[info] spec.projectRef.external: set field value to "kcc-cso-4380"
[info] metadata.name: set field value to "kcc-cso-4380-anthos"
[info] metadata.namespace: set field value to "config-control"
[info] spec.projectRef.external: set field value to "kcc-cso-4380"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "kcc-cso-4380"
[info] spec.member: set field value to "serviceAccount:config-mgmt-mon-default-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-cso-4380.svc.id.goog[config-management-monitoring/default]"
[info] spec.googleServiceAccount: set field value to "config-mgmt-mon-default-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "kcc-cso-4380"
[info] spec.member: set field value to "serviceAccount:gatekeeper-admin-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-cso-4380.svc.id.goog[gatekeeper-system/gatekeeper-admin]"
[info] spec.googleServiceAccount: set field value to "gatekeeper-admin-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "276061734969"
[info] spec.member: set field value to "serviceAccount:hierarchy-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-cso-4380.svc.id.goog[cnrm-system/cnrm-controller-manager-hierarchy]"
[info] spec.googleServiceAccount: set field value to "hierarchy-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "734065690346"
[info] spec.member: set field value to "serviceAccount:logging-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.name: set field value to "logging-sa-monitoring-admin-kcc-cso-4380-permissions"
[info] metadata.namespace: set field value to "config-control"
[info] spec.resourceRef.external: set field value to "kcc-cso-4380"
[info] spec.member: set field value to "serviceAccount:logging-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.name: set field value to "logging-sa-monitoring-admin-logging-project-cso2-permissions"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "logging-project-cso2"
[info] spec.member: set field value to "serviceAccount:logging-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.name: set field value to "logging-sa-storageadmin-logging-project-cso2-permissions"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "logging-project-cso2"
[info] spec.resourceRef.name: set field value to "logging-project-cso2"
[info] spec.member: set field value to "serviceAccount:logging-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-cso-4380.svc.id.goog[cnrm-system/cnrm-controller-manager-logging]"
[info] spec.googleServiceAccount: set field value to "logging-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "734065690346"
[info] spec.member: set field value to "serviceAccount:service-343139601407@gcp-sa-yakima.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "kcc-cso-4380"
[info] spec.member: set field value to "serviceAccount:service-343139601407@gcp-sa-yakima.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "kcc-cso-4380"
[info] spec.member: set field value to "serviceAccount:service-343139601407@gcp-sa-yakima.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "276061734969"
[info] spec.member: set field value to "serviceAccount:networking-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "276061734969"
[info] spec.member: set field value to "serviceAccount:networking-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "276061734969"
[info] spec.member: set field value to "serviceAccount:networking-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "734065690346"
[info] spec.member: set field value to "serviceAccount:networking-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "734065690346"
[info] spec.member: set field value to "serviceAccount:networking-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "276061734969"
[info] spec.member: set field value to "serviceAccount:networking-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-cso-4380.svc.id.goog[cnrm-system/cnrm-controller-manager-networking]"
[info] spec.googleServiceAccount: set field value to "networking-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "734065690346"
[info] spec.member: set field value to "serviceAccount:policies-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-cso-4380.svc.id.goog[cnrm-system/cnrm-controller-manager-policies]"
[info] spec.googleServiceAccount: set field value to "policies-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "276061734969"
[info] spec.member: set field value to "serviceAccount:projects-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "276061734969"
[info] spec.member: set field value to "serviceAccount:projects-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "276061734969"
[info] spec.member: set field value to "serviceAccount:projects-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "276061734969"
[info] spec.member: set field value to "serviceAccount:projects-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "276061734969"
[info] spec.member: set field value to "serviceAccount:projects-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.resourceRef.external: set field value to "734065690346"
[info] spec.member: set field value to "serviceAccount:projects-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/project-id: set field value to "kcc-cso-4380"
[info] spec.bindings[0].members[0].member: set field value to "serviceAccount:kcc-cso-4380.svc.id.goog[cnrm-system/cnrm-controller-manager-projects]"
[info] spec.googleServiceAccount: set field value to "projects-sa@kcc-cso-4380.iam.gserviceaccount.com"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "734065690346"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "734065690346"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "734065690346"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "734065690346"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "734065690346"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "734065690346"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "734065690346"
[info] metadata.namespace: set field value to "config-control"
[info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.listPolicy.allow.values: set field value to "- \"under:organizations/734065690346\"\n"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.listPolicy.allow.values: set field value to "- \"projects/cos-cloud\"\n"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.listPolicy.allow.values: set field value to "- \"@cloud-setup.org\"\n"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.listPolicy.allow.values: set field value to "- \"C02w06bdi\"\n"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] metadata.name: set field value to "org-log-sink-security-logging-project-cso2"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-cso2/locations/northamerica-northeast1/buckets/security-log-bucket"
[info] metadata.name: set field value to "org-log-sink-data-access-logging-project-cso2"
[info] spec.organizationRef.external: set field value to "734065690346"
[info] spec.destination.loggingLogBucketRef.external: set field value to "logging.googleapis.com/projects/logging-project-cso2/locations/northamerica-northeast1/buckets/security-log-bucket"
Successfully executed 1 function(s) in 1 package(s).
kpt live apply after 60s wait
apiVersion: v1
kind: ConfigMap
metadata: # kpt-merge: /setters
name: setters
annotations:
config.kubernetes.io/local-config: "true"
internal.kpt.dev/upstream-identifier: '|ConfigMap|default|setters'
data:
org-id: "734..46"
lz-folder-id: "27..9"
billing-id: "01B...7A"
management-project-id: "kcc-cso-4380"
management-project-number: "34...07"
management-namespace: config-control
allowed-trusted-image-projects: |
- "projects/cos-cloud"
allowed-contact-domains: |
- "@cloud-setup.org"
allowed-policy-domain-members: |
- "C02w06bdi"
allowed-vpc-peering: |
- "under:organizations/73...6"
logging-project-id: logging-project-cso2
security-log-bucket: security-log-bucket-cso2
platform-and-component-log-bucket: platform-and-component-log-bucket-cso2
retention-locking-policy: "false"
retention-in-days: "1"
dns-project-id: dns-project-cso2
dns-name: "cloud-setup.org."
1202 - better
hierarchy RoleBinding/allow-hierarchy-resource-ref Successful Current <None> 17m Resource is current
hierarchy RoleBinding/allow-hierarchy-resource-ref Successful Current <None> 17m Resource is current
hierarchy RoleBinding/allow-hierarchy-resource-ref Successful Current <None> 17m Resource is current
hierarchy Folder/audits Successful Current Ready 17m Resource is Current
hierarchy Folder/clients Successful Current Ready 17m Resource is Current
hierarchy Folder/services Successful Current Ready 17m Resource is Current
hierarchy Folder/services-infrastructure Successful Current Ready 17m Resource is Current
logging ConfigConnectorContext/configconnectorco Successful Current <None> 17m status.healthy is true
logging LoggingLogBucket/platform-and-component- Successful Current Ready 15m Resource is Current
logging LoggingLogBucket/security-log-bucket Successful Current Ready 15m Resource is Current
logging LoggingLogSink/logging-project-cso2-data Successful Current Ready 27s Resource is Current
logging LoggingLogSink/mgmt-project-cluster-plat Successful Current Ready 27s Resource is Current
logging LoggingLogSink/org-log-sink-data-access- Successful Current Ready 27s Resource is Current
logging LoggingLogSink/org-log-sink-security-log Successful Current Ready 27s Resource is Current
logging LoggingLogSink/platform-and-component-se Successful Current Ready 26s Resource is Current
logging LoggingLogSink/platform-and-component-se Successful Current Ready 26s Resource is Current
logging MonitoringMonitoredProject/kcc-cso-4380 Successful Current Ready 17m Resource is Current
logging RoleBinding/allow-logging-resource-refer Successful Current <None> 17m Resource is current
logging StorageBucket/security-incident-log-buck Successful Failed Ready 15m Update call failed: error fetching live
networking ConfigConnectorContext/configconnectorco Successful Current <None> 17m status.healthy is true
networking DNSManagedZone/dns-project-cso2-standard Successful Failed Ready 28s Update call failed: error applying desir
policies ConfigConnectorContext/configconnectorco Successful Current <None> 17m status.healthy is true
policies ResourceManagerPolicy/compute-disable-gu Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-disable-ne Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-disable-se Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-disable-se Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-disable-se Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-disable-vp Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-require-os Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-require-sh Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-require-sh Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-restrict-c Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-restrict-c Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-restrict-l Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-restrict-s Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-restrict-v Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-restrict-v Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-skip-defau Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-trusted-im Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-vm-can-ip- Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/compute-vm-externa Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/essentialcontacts- Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/gcp-restrict-resou Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/iam-allowed-policy Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/iam-automatic-iam- Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/iam-disable-audit- Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/iam-disable-servic Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/iam-disable-servic Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/sql-restrict-publi Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/storage-public-acc Successful Current Ready 17m Resource is Current
policies ResourceManagerPolicy/storage-uniform-bu Successful Current Ready 17m Resource is Current
projects ConfigConnectorContext/configconnectorco Successful Current <None> 17m status.healthy is true
projects IAMAuditConfig/logging-project-data-acce Successful Current Ready 15m Resource is Current
projects IAMPartialPolicy/mgmt-project-cluster-pl Successful Current Ready 15m Resource is Current
projects IAMPartialPolicy/platform-and-component- Successful InProgress Ready 15m reference LoggingLogSink logging/platfor
projects IAMPartialPolicy/platform-and-component- Successful Current Ready 15m Resource is Current
projects IAMPartialPolicy/security-log-bucket-wri Successful Current Ready 15m Resource is Current
projects IAMPolicyMember/logging-sa-monitoring-ad Successful Current Ready 17m Resource is Current
projects IAMPolicyMember/logging-sa-storageadmin- Successful Current Ready 17m Resource is Current
projects RoleBinding/allow-projects-resource-refe Successful Current <None> 17m Resource is current
projects RoleBinding/allow-projects-resource-refe Successful Current <None> 17m Resource is current
projects RoleBinding/allow-projects-resource-refe Successful Current <None> 17m Resource is current
projects Project/dns-project-cso2 Successful Current Ready 15m Resource is Current
projects Project/logging-project-cso2 Successful Current Ready 17m Resource is Current
projects Service/dns-project-cso2-dns Successful Current Ready 26s Resource is Current
projects Service/logging-project-cso2-logging Successful Current Ready 15m Resource is Current
projects Service/logging-project-cso2-monitoring Successful Current Ready 15m Resource is Current
michael@cloudshell:~/kcc-cso/kpt (kcc-cso-4380)$ kpt live status core-landing-zone --inv-type remote --statuses InProgress,NotFound
michael@cloudshell:~/kcc-cso/kpt (kcc-cso-4380)$ kpt live status core-landing-zone | grep error
inventory-36537147/storagebucket.storage.cnrm.cloud.google.com/logging/security-incident-log-bucket is Failed: Update call failed: error fetching live state: error reading underlying resource: summary: Error when reading or editing Storage Bucket "security-incident-log-bucket": googleapi: Error 403: logging-sa@kcc-cso-4380.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist)., forbidden
Same issue on redeployed cloud-setup
michael@cloudshell:~/kcc-cso/kpt (kcc-cso-4380)$ kpt live status core-landing-zone | grep error
inventory-36537147/storagebucket.storage.cnrm.cloud.google.com/logging/security-incident-log-bucket is Failed: Update call failed: error fetching live state: error reading underlying resource: summary: Error when reading or editing Storage Bucket "security-incident-log-bucket": googleapi: Error 403: logging-sa@kcc-cso-4380.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist)., forbidden
michael@cloudshell:~/kcc-cso/kpt (kcc-cso-4380)$ kubectl describe storagebucket.storage.cnrm.cloud.google.com/security-incident-log-bucket -n logging
Name: security-incident-log-bucket
Namespace: logging
Labels: <none>
Annotations: cnrm.cloud.google.com/blueprint: kpt-pkg-fn-live
cnrm.cloud.google.com/management-conflict-prevention-policy: none
cnrm.cloud.google.com/project-id: logging-project-cso2
cnrm.cloud.google.com/state-into-spec: merge
config.k8s.io/owning-inventory: ec099affabc09ae4652ae62190d9b794c9ec63d1-1706718583884502216
config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-cso2
internal.kpt.dev/upstream-identifier: storage.cnrm.cloud.google.com|StorageBucket|logging|security-incident-log-bucket
API Version: storage.cnrm.cloud.google.com/v1beta1
Kind: StorageBucket
Metadata:
Creation Timestamp: 2024-01-31T16:33:31Z
Generation: 1
Resource Version: 4501241
UID: b6cc605b-ac0b-45ae-ab03-0854998ab193
Spec:
Autoclass:
Enabled: true
Location: northamerica-northeast1
Public Access Prevention: enforced
Retention Policy:
Is Locked: false
Retention Period: 86400
Uniform Bucket Level Access: true
Status:
Conditions:
Last Transition Time: 2024-01-31T16:33:31Z
Message: Update call failed: error fetching live state: error reading underlying resource: summary: Error when reading or editing Storage Bucket "security-incident-log-bucket": googleapi: Error 403: logging-sa@kcc-cso-4380.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist)., forbidden
Reason: UpdateFailed
Status: False
Type: Ready
Observed Generation: 1
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning UpdateFailed 93s (x22 over 33m) storagebucket-controller Update call failed: error fetching live state: error reading underlying resource: summary: Error when reading or editing Storage Bucket "security-incident-log-bucket": googleapi: Error 403: logging-sa@kcc-cso-4380.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist)., forbidden
however the logging-sa is missing Storage Admin
logging-sa@kcc-cso-4380.iam.gserviceaccount.com | logging-sa | Logging AdminMonitoring Admin
Storage Admin (roles/storage.admin) | Grants full control of buckets, managed folders, and objects, including getting and setting object ACLs or IAM policies.When applied to an individual bucket, control applies only to the specified bucket and the managed folders and objects within the bucket. | firebase.projects.getorgpolicy.policy.get1resourcemanager.projects.get2resourcemanager.projects.list2storage.buckets.*storage.managedFolders.*storage.objects.*storage.multipartUploads.*
-- | -- | --
core-landing-zone deploys ok with a longer timeout of 15 min not the default 2 in the readme see wiki https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/DevOps#core-landing-zone--hub-env see script #766 change: https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh766-script/solutions/setup.sh#L311
see remaining logging-sa missing Storage Admin in #801
see testing of core-landing-zone in #766
increment prefix in vars.sh - for projects and buckets
rerun
1202 - better
Same issue on redeployed cloud-setup
https://cloud.google.com/storage/docs/access-control/iam-roles
added to #801