search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
30 stars 27 forks source link

Tracking gcloud out-of-band forwarding-rules creation for PSC client-landing-zone - config connector acquires post kpt apply #823

Open fmichaelobrien opened 4 months ago

fmichaelobrien commented 4 months ago

part of landing zone automation in #766

Tracking gcloud out-of-band forwarding-rules creation for PSC client-landing-zone - config connector acquires post kpt apply

see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/onboarding-client.md#add-the-client-landing-zone-package

  1. TEMPORARY WORKAROUND because of current location limitations when creating the Private Service Connect resource (PSC). It must be created manually with gcloud, Config Connector will then acquire it.

    # these temporary roles will be required to run the gcloud command:
#   - Compute Network Admin (roles/compute.networkAdmin),
#   - Service Directory Editor (roles/servicedirectory.editor)
#   - DNS Administrator (roles/dns.admin)
# https://cloud.google.com/vpc/docs/configure-private-service-connect-apis#roles

HOST_PROJECT_ID='client-host-project-id'
gcloud compute forwarding-rules create standardpscapisfw \
  --global \
  --network=global-standard-vpc \
  --address=standard-psc-apis-ip \
  --target-google-apis-bundle=all-apis \
  --project=${HOST_PROJECT_ID} \
  --service-directory-registration=projects/${HOST_PROJECT_ID}/locations/northamerica-northeast1

    running

    client-landing-zone gcloud workaround for PSC forwarding rule

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/onboarding-client.md#add-the-client-landing-zone-package

michael@cloudshell:~/kcc-cso/kpt (kcc-cso-4380)$ HOST_PROJECT_ID='net-host-project-cso3'
michael@cloudshell:~/kcc-cso/kpt (kcc-cso-4380)$ gcloud compute forwarding-rules create standardpscapisfw \
  --global \
  --network=global-standard-vpc \
  --address=standard-psc-apis-ip \
  --target-google-apis-bundle=all-apis \
  --project=${HOST_PROJECT_ID} \
  --service-directory-registration=projects/${HOST_PROJECT_ID}/locations/northamerica-northeast1
Created [https://www.googleapis.com/compute/v1/projects/net-host-project-cso3/global/forwardingRules/standardpscapisfw].

verify https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules/list

michael@cloudshell:~/kcc-cso/kpt (kcc-cso-4380)$ gcloud compute forwarding-rules list --project ${HOST_PROJECT_ID}
NAME: standardpscapisfw
REGION: 
IP_ADDRESS: 10.255.255.254
IP_PROTOCOL: TCP
TARGET: all-apis

Check config-controller acquire of resource

michael@cloudshell:~/kcc-cso/kpt (kcc-cso-4380)$ kpt live status client-landing-zone | grep computeforwardingrule
inventory-90770020/computeforwardingrule.compute.cnrm.cloud.google.com/client-cso3-networking/net-host-project-cso3-standard-psc-apis-fw is Current: Resource is Current