The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
30
stars
26
forks
source link
Docs: add triage/fix scenario to wiki for when a krm service such as enabling monitoring in client-landing-zone times out intermittently - during reconcile and requires a re kpt apply to allow the dependency tree to continue #865
One org obrien.industries is working with the log sinks
the other newer org cloud-setup is not
the issue is likely missing IAM permissions on clean account cloud-setup.org - where an older org that even had an older hub-env is ok obrien.industries below
Update: same issue on 2nd org - looks like logging-sa needs roles/storage.admin
Both myself and a customer ran into this one requiring an out-of-band fix - periodically (one only one of my recent 2 orgs
example of a working project with the permission working
see also https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/801 https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/807
One org obrien.industries is working with the log sinks the other newer org cloud-setup is not
the issue is likely missing IAM permissions on clean account cloud-setup.org - where an older org that even had an older hub-env is ok obrien.industries below
Update: same issue on 2nd org - looks like logging-sa needs roles/storage.admin
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/core-landing-zone/lz-folder/audits/logging-project/cloud-storage-buckets.yaml#L20 missing permissions that are already set on https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/core-landing-zone/namespaces/logging.yaml#L82
both have logging-sa as loggingadmin at the org level
and monitoring admin at the kcc project level
setters.yaml
single service IAM issue